pony | cb971daad25ad430dd577b291694f096bb0b1a98cfc0482993ec30b69aa089df

Analysis

max time kernel
166s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06/01/2024, 10:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

45bfc0de3c78454b8c80623b7de965b0.exe
Size

1.8MB
MD5

45bfc0de3c78454b8c80623b7de965b0
SHA1

e71476d4d3bff61d46c3999753d8e943c49d93d9
SHA256

cb971daad25ad430dd577b291694f096bb0b1a98cfc0482993ec30b69aa089df
SHA512

2d55abc2fef301061152da11be3ca05f2903c437db8fe023516a1e09242bb2aa4e9c13ca03337187a327727ea4fc1f1f8c7faaca8ed27248ff88a89eefff1b71
SSDEEP

24576:4kT+jH6bug8HIlszpJ0IeKVPJxqUdMKBcTGg58SQwZ0BVqO2kDrICz7ZW:4kT+WKriyGvK91WKBc6g+xBVXXrIkW

Score

10^/10

pony discovery persistence rat spyware stealer upx

Malware Config

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Executes dropped EXE 64 IoCs

pid	Process
1308	svhostu.exe
3992	svhostu.exe
4920	bH6dWK7fR9TqUeI.exe
3400	GcS2ibD3pGaHdKf.exe
4312	hS1ibD3pn4Q6W7R.exe
4664	mS1ibD3on4Q6W7R.exe
3428	RpmG5aQJ6E8R9Yw.exe
4628	DA1uvD2on4m5W7.exe
5064	UxA1uvD2oFpHsJd.exe
4376	KEXwUVelOtPySiD.exe
2140	XfEL9gZqjCkVzNx.exe
4804	svhostu.exe
3584	RrlONtxP0c2b3n5.exe
4252	svhostu.exe
1076	svhostu.exe
1580	oycA1uvD2n4m5W7.exe
2156	svhostu.exe
492	svhostu.exe
228	cF4pH5sQJdLgZhC.exe
2076	svhostu.exe
3112	svhostu.exe
832	NcA1uvD2oFpHsJ.exe
1920	svhostu.exe
1640	svhostu.exe
520	pCwkrzONtAuSiFp.exe
3588	svhostu.exe
1772	svhostu.exe
5064	DA0ucS2ib3n5Qd.exe
1056	svhostu.exe
5036	svhostu.exe
1708	QF3pmG5aQ6E8RhX.exe
1936	svhostu.exe
4784	svhostu.exe
4716	TS2obF3pm5Q6.exe
2556	svhostu.exe
3940	svhostu.exe
2560	RonG4amH6W7E9Tq.exe
4992	svhostu.exe
2412	svhostu.exe
4572	JcA1ivD2oFaH.exe
3492	svhostu.exe
2876	svhostu.exe
1216	yqjYCekIVzN.exe
2712	svhostu.exe
4984	svhostu.exe
3292	xxA1uvS2oFpGsJd.exe
5064	svhostu.exe
2328	svhostu.exe
5052	c3pnGaH6dKfLhXj.exe
3096	svhostu.exe
2492	ZzONxA0uSoFp.exe
2564	svhostu.exe
2740	A5QJ7dEK8RqYwUr.exe
2704	svhostu.exe
4756	fsWJ7fEL9TqYeIz.exe
4340	svhostu.exe
4800	mUCelIBtzN.exe
184	svhostu.exe
916	pELTZqhCkVlNx0c.exe
1256	svhostu.exe
4540	VYCwkIVrO.exe
1380	svhostu.exe
732	j0uS2bD3pGaHdKf.exe
4384	svhostu.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2204-0-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2204-1-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2204-4-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/files/0x000400000001e7e3-19.dat	upx
behavioral2/memory/2204-21-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4920-26-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/3400-28-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/3400-32-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4664-40-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4312-39-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4664-45-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/3428-50-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/files/0x000200000001e801-49.dat	upx
behavioral2/memory/4628-52-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4628-56-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/5064-58-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/5064-66-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4376-68-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4376-72-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2140-85-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/3584-87-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/3584-103-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/1580-125-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/832-145-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/228-143-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/832-165-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/520-185-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/1708-205-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/5064-203-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/1708-224-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4716-225-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4716-238-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2560-239-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2560-252-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4572-253-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4572-265-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/1216-266-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/1216-279-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/3292-289-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/5052-291-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/5052-301-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2492-306-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/2740-317-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4756-319-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4756-327-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/4800-337-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/916-338-0x0000000000400000-0x00000000008AE000-memory.dmp	upx
behavioral2/memory/916-348-0x0000000000400000-0x00000000008AE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 59 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\REL8gTZqhCk8234A = "C:\\Windows\\system32\\DA1uvD2on4m5W7.exe"	RpmG5aQJ6E8R9Yw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PfEL8gTZqYwIrO8234A = "C:\\Windows\\system32\\mUCelIBtzN.exe"	fsWJ7fEL9TqYeIz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\thYXwkUVeO = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	mUCelIBtzN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YH6dWK7fR9TqUeI = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	Z8gRZ9hYXkVlBx0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rhYXwjUVeOtPySi = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	xxA1uvS2oFpGsJd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WRL9hTXwjClBzNc = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	c3pnGaH6dKfLhXj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pcA1ivD3oFaHsJf8234A = "C:\\Windows\\system32\\pELTZqhCkVlNx0c.exe"	mUCelIBtzN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CrzONyxA1v2b4m8234A = "C:\\Windows\\system32\\pXqjYCekI.exe"	Z8gRZ9hYXkVlBx0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\OkIBrzPNyA8234A = "C:\\Windows\\system32\\mS1ibD3on4Q6W7R.exe"	hS1ibD3pn4Q6W7R.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\txA0uvS2oFpGsJd8234A = "C:\\Windows\\system32\\yqjYCekIVzN.exe"	JcA1ivD2oFaH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WGaQH6dW8R9T = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	JcA1ivD2oFaH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qTZqjYCekVzNx0v = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	yqjYCekIVzN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HWJ7fEL8gZjCkVz8234A = "C:\\Windows\\system32\\ztzPNycA1v2n4m5.exe"	TCekIVrzOyAuSoF.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NLgTZqjYCkVzNx0 = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	45bfc0de3c78454b8c80623b7de965b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qUVelOBtz0c1v3n8234A = "C:\\Windows\\system32\\RpmG5aQJ6E8R9Yw.exe"	mS1ibD3on4Q6W7R.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\U0uvS2obFpGsJdK8234A = "C:\\Windows\\system32\\XfEL9gZqjCkVzNx.exe"	KEXwUVelOtPySiD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\P1uvD2onFpHsJdL = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	j0uS2bD3pGaHdKf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aEK8gRZ9hXkVlBx8234A = "C:\\Windows\\system32\\TS2obF3pm5Q6.exe"	QF3pmG5aQ6E8RhX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LP0ycS1ib3n4Q6 = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	A5QJ7dEK8RqYwUr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EzPNyxA1uDoFp = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	pXqjYCekI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\O1uvS2obFpGsJ = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	NcA1uvD2oFpHsJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LK8fRZ9hTwU8234A = "C:\\Windows\\system32\\DA0ucS2ib3n5Qd.exe"	pCwkrzONtAuSiFp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UEL8gTZqhCk = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	TS2obF3pm5Q6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qNyxA0uvSoFpGsJ8234A = "C:\\Windows\\system32\\fsWJ7fEL9TqYeIz.exe"	A5QJ7dEK8RqYwUr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qtxAuvS2b3m5Q6E8234A = "C:\\Windows\\system32\\VYCwkIVrO.exe"	pELTZqhCkVlNx0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qYCekIBrzNx1v2b8234A = "C:\\Windows\\system32\\RonG4amH6W7E9Tq.exe"	TS2obF3pm5Q6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CNycA1uvDoFpHsJ = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	ZzONxA0uSoFp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sL9hTXwjUeItPyA8234A = "C:\\Windows\\system32\\GcS2ibD3pGaHdKf.exe"	bH6dWK7fR9TqUeI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qQH6dWK8fLhXjCl8234A = "C:\\Windows\\system32\\RrlONtxP0c2b3n5.exe"	XfEL9gZqjCkVzNx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CZqjYCwkIrOtAuS = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	XfEL9gZqjCkVzNx.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PEKgRZhYXkVlBxy = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	pCwkrzONtAuSiFp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lzONyx1uS = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	RonG4amH6W7E9Tq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bOBtxP0uc1b3n4Q8234A = "C:\\Windows\\system32\\A5QJ7dEK8RqYwUr.exe"	ZzONxA0uSoFp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eibD3pnG4Q68234A = "C:\\Windows\\system32\\shYXwkUVrOtPuS.exe"	j0uS2bD3pGaHdKf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JK8RZqhYXkVlBPu8234A = "C:\\Windows\\system32\\xxA1uvS2oFpGsJd.exe"	yqjYCekIVzN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tL8gRZqhYwUrOtP8234A = "C:\\Windows\\system32\\UxA1uvD2oFpHsJd.exe"	DA1uvD2on4m5W7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GdEL8gTZqY8234A = "C:\\Windows\\system32\\NcA1uvD2oFpHsJ.exe"	cF4pH5sQJdLgZhC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JWK7fRL9gjCIzNx = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	QF3pmG5aQ6E8RhX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PIBtzPNyc1v2n4m8234A = "C:\\Windows\\system32\\c3pnGaH6dKfLhXj.exe"	xxA1uvS2oFpGsJd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\okUVrlONtPuSiDp8234A = "C:\\Windows\\system32\\cF4pH5sQJdLgZhC.exe"	oycA1uvD2n4m5W7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\csWJ7fEL8TqYwIr8234A = "C:\\Windows\\system32\\JcA1ivD2oFaH.exe"	RonG4amH6W7E9Tq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rYCekIBrzNx1v2b = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	pELTZqhCkVlNx0c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kmG5sQJ6dKgZhXk8234A = "C:\\Windows\\system32\\TCekIVrzOyAuSoF.exe"	pXqjYCekI.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HNycA1uvDoFpHsJ8234A = "C:\\Windows\\system32\\bH6dWK7fR9TqUeI.exe"	45bfc0de3c78454b8c80623b7de965b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\djUVelOBtPySiDo8234A = "C:\\Windows\\system32\\QF3pmG5aQ6E8RhX.exe"	DA0ucS2ib3n5Qd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kWK8fRL9hXjClBz = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	shYXwkUVrOtPuS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TEL8gTZqhCkVlNx8234A = "C:\\Windows\\system32\\oycA1uvD2n4m5W7.exe"	RrlONtxP0c2b3n5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\utxA0uvS2bp5Q6E = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	oycA1uvD2n4m5W7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LPycA1i3n4m6W7E = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	cF4pH5sQJdLgZhC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sG5aQJ6dE8R9Yw8234A = "C:\\Windows\\system32\\pCwkrzONtAuSiFp.exe"	NcA1uvD2oFpHsJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\rvS2ibF3p = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	VYCwkIVrO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pelIBrzPNc1v2n48234A = "C:\\Windows\\system32\\hS1ibD3pn4Q6W7R.exe"	GcS2ibD3pGaHdKf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JItP0cA1i = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	RrlONtxP0c2b3n5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tG5sQJ6dE8R9YkV8234A = "C:\\Windows\\system32\\ZzONxA0uSoFp.exe"	c3pnGaH6dKfLhXj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwjUVelOBz0c1v3 = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	fsWJ7fEL9TqYeIz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wonG4amH6W7E9Tq8234A = "C:\\Windows\\system32\\KEXwUVelOtPySiD.exe"	UxA1uvD2oFpHsJd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WZhYXwkUVlB0c1b = "C:\\Users\\Admin\\AppData\\Roaming\\svhostu.exe"	DA0ucS2ib3n5Qd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ltzPNycA18234A = "C:\\Windows\\system32\\j0uS2bD3pGaHdKf.exe"	VYCwkIVrO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jcS1ibD3oGaHsKf8234A = "C:\\Windows\\system32\\Z8gRZ9hYXkVlBx0.exe"	shYXwkUVrOtPuS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xxA1uvS2oFpGsJd.exe	yqjYCekIVzN.exe
File created	C:\Windows\SysWOW64\shYXwkUVrOtPuS.exe	j0uS2bD3pGaHdKf.exe
File created	C:\Windows\SysWOW64\pXqjYCekI.exe	Z8gRZ9hYXkVlBx0.exe
File created	C:\Windows\SysWOW64\TCekIVrzOyAuSoF.exe	pXqjYCekI.exe
File created	C:\Windows\SysWOW64\UxA1uvD2oFpHsJd.exe	DA1uvD2on4m5W7.exe
File created	C:\Windows\SysWOW64\XfEL9gZqjCkVzNx.exe	KEXwUVelOtPySiD.exe
File created	C:\Windows\SysWOW64\yqjYCekIVzN.exe	JcA1ivD2oFaH.exe
File created	C:\Windows\SysWOW64\cF4pH5sQJdLgZhC.exe	oycA1uvD2n4m5W7.exe
File created	C:\Windows\SysWOW64\RonG4amH6W7E9Tq.exe	TS2obF3pm5Q6.exe
File created	C:\Windows\SysWOW64\JcA1ivD2oFaH.exe	RonG4amH6W7E9Tq.exe
File created	C:\Windows\SysWOW64\fsWJ7fEL9TqYeIz.exe	A5QJ7dEK8RqYwUr.exe
File created	C:\Windows\SysWOW64\QF3pmG5aQ6E8RhX.exe	DA0ucS2ib3n5Qd.exe
File created	C:\Windows\SysWOW64\c3pnGaH6dKfLhXj.exe	xxA1uvS2oFpGsJd.exe
File created	C:\Windows\SysWOW64\ZzONxA0uSoFp.exe	c3pnGaH6dKfLhXj.exe
File created	C:\Windows\SysWOW64\ztzPNycA1v2n4m5.exe	TCekIVrzOyAuSoF.exe
File created	C:\Windows\SysWOW64\KEXwUVelOtPySiD.exe	UxA1uvD2oFpHsJd.exe
File created	C:\Windows\SysWOW64\RrlONtxP0c2b3n5.exe	XfEL9gZqjCkVzNx.exe
File created	C:\Windows\SysWOW64\A5QJ7dEK8RqYwUr.exe	ZzONxA0uSoFp.exe
File created	C:\Windows\SysWOW64\RpmG5aQJ6E8R9Yw.exe	mS1ibD3on4Q6W7R.exe
File created	C:\Windows\SysWOW64\oycA1uvD2n4m5W7.exe	RrlONtxP0c2b3n5.exe
File created	C:\Windows\SysWOW64\NcA1uvD2oFpHsJ.exe	cF4pH5sQJdLgZhC.exe
File created	C:\Windows\SysWOW64\DA0ucS2ib3n5Qd.exe	pCwkrzONtAuSiFp.exe
File created	C:\Windows\SysWOW64\TS2obF3pm5Q6.exe	QF3pmG5aQ6E8RhX.exe
File created	C:\Windows\SysWOW64\GcS2ibD3pGaHdKf.exe	bH6dWK7fR9TqUeI.exe
File created	C:\Windows\SysWOW64\hS1ibD3pn4Q6W7R.exe	GcS2ibD3pGaHdKf.exe
File created	C:\Windows\SysWOW64\mS1ibD3on4Q6W7R.exe	hS1ibD3pn4Q6W7R.exe
File created	C:\Windows\SysWOW64\pELTZqhCkVlNx0c.exe	mUCelIBtzN.exe
File created	C:\Windows\SysWOW64\j0uS2bD3pGaHdKf.exe	VYCwkIVrO.exe
File created	C:\Windows\SysWOW64\mUCelIBtzN.exe	fsWJ7fEL9TqYeIz.exe
File created	C:\Windows\SysWOW64\VYCwkIVrO.exe	pELTZqhCkVlNx0c.exe
File created	C:\Windows\SysWOW64\Z8gRZ9hYXkVlBx0.exe	shYXwkUVrOtPuS.exe
File created	C:\Windows\SysWOW64\bH6dWK7fR9TqUeI.exe	45bfc0de3c78454b8c80623b7de965b0.exe
File created	C:\Windows\SysWOW64\DA1uvD2on4m5W7.exe	RpmG5aQJ6E8R9Yw.exe
File created	C:\Windows\SysWOW64\pCwkrzONtAuSiFp.exe	NcA1uvD2oFpHsJ.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3212	5064	WerFault.exe	151
2844	5064	WerFault.exe	151

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
2204	45bfc0de3c78454b8c80623b7de965b0.exe
4920	bH6dWK7fR9TqUeI.exe
3400	GcS2ibD3pGaHdKf.exe
4312	hS1ibD3pn4Q6W7R.exe
4664	mS1ibD3on4Q6W7R.exe
3428	RpmG5aQJ6E8R9Yw.exe
4628	DA1uvD2on4m5W7.exe
5064	UxA1uvD2oFpHsJd.exe
4376	KEXwUVelOtPySiD.exe
2140	XfEL9gZqjCkVzNx.exe
3584	RrlONtxP0c2b3n5.exe
1580	oycA1uvD2n4m5W7.exe
228	cF4pH5sQJdLgZhC.exe
832	NcA1uvD2oFpHsJ.exe
520	pCwkrzONtAuSiFp.exe
5064	DA0ucS2ib3n5Qd.exe
1708	QF3pmG5aQ6E8RhX.exe
4716	TS2obF3pm5Q6.exe
2560	RonG4amH6W7E9Tq.exe
4572	JcA1ivD2oFaH.exe
1216	yqjYCekIVzN.exe
3292	xxA1uvS2oFpGsJd.exe
5052	c3pnGaH6dKfLhXj.exe
2492	ZzONxA0uSoFp.exe
2740	A5QJ7dEK8RqYwUr.exe
4756	fsWJ7fEL9TqYeIz.exe
4800	mUCelIBtzN.exe
916	pELTZqhCkVlNx0c.exe
4540	VYCwkIVrO.exe
732	j0uS2bD3pGaHdKf.exe
2740	shYXwkUVrOtPuS.exe
3536	Z8gRZ9hYXkVlBx0.exe
2220	pXqjYCekI.exe
1308	TCekIVrzOyAuSoF.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1308	2204	45bfc0de3c78454b8c80623b7de965b0.exe	95
PID 2204 wrote to memory of 1308	2204	45bfc0de3c78454b8c80623b7de965b0.exe	95
PID 2204 wrote to memory of 1308	2204	45bfc0de3c78454b8c80623b7de965b0.exe	95
PID 2204 wrote to memory of 3992	2204	45bfc0de3c78454b8c80623b7de965b0.exe	97
PID 2204 wrote to memory of 3992	2204	45bfc0de3c78454b8c80623b7de965b0.exe	97
PID 2204 wrote to memory of 3992	2204	45bfc0de3c78454b8c80623b7de965b0.exe	97
PID 2204 wrote to memory of 4920	2204	45bfc0de3c78454b8c80623b7de965b0.exe	98
PID 2204 wrote to memory of 4920	2204	45bfc0de3c78454b8c80623b7de965b0.exe	98
PID 2204 wrote to memory of 4920	2204	45bfc0de3c78454b8c80623b7de965b0.exe	98
PID 4920 wrote to memory of 3400	4920	bH6dWK7fR9TqUeI.exe	99
PID 4920 wrote to memory of 3400	4920	bH6dWK7fR9TqUeI.exe	99
PID 4920 wrote to memory of 3400	4920	bH6dWK7fR9TqUeI.exe	99
PID 3400 wrote to memory of 4312	3400	GcS2ibD3pGaHdKf.exe	100
PID 3400 wrote to memory of 4312	3400	GcS2ibD3pGaHdKf.exe	100
PID 3400 wrote to memory of 4312	3400	GcS2ibD3pGaHdKf.exe	100
PID 4312 wrote to memory of 4664	4312	hS1ibD3pn4Q6W7R.exe	101
PID 4312 wrote to memory of 4664	4312	hS1ibD3pn4Q6W7R.exe	101
PID 4312 wrote to memory of 4664	4312	hS1ibD3pn4Q6W7R.exe	101
PID 4664 wrote to memory of 3428	4664	mS1ibD3on4Q6W7R.exe	103
PID 4664 wrote to memory of 3428	4664	mS1ibD3on4Q6W7R.exe	103
PID 4664 wrote to memory of 3428	4664	mS1ibD3on4Q6W7R.exe	103
PID 3428 wrote to memory of 4628	3428	RpmG5aQJ6E8R9Yw.exe	104
PID 3428 wrote to memory of 4628	3428	RpmG5aQJ6E8R9Yw.exe	104
PID 3428 wrote to memory of 4628	3428	RpmG5aQJ6E8R9Yw.exe	104
PID 4628 wrote to memory of 5064	4628	DA1uvD2on4m5W7.exe	105
PID 4628 wrote to memory of 5064	4628	DA1uvD2on4m5W7.exe	105
PID 4628 wrote to memory of 5064	4628	DA1uvD2on4m5W7.exe	105
PID 5064 wrote to memory of 4376	5064	UxA1uvD2oFpHsJd.exe	106
PID 5064 wrote to memory of 4376	5064	UxA1uvD2oFpHsJd.exe	106
PID 5064 wrote to memory of 4376	5064	UxA1uvD2oFpHsJd.exe	106
PID 4376 wrote to memory of 2140	4376	KEXwUVelOtPySiD.exe	107
PID 4376 wrote to memory of 2140	4376	KEXwUVelOtPySiD.exe	107
PID 4376 wrote to memory of 2140	4376	KEXwUVelOtPySiD.exe	107
PID 2140 wrote to memory of 4804	2140	XfEL9gZqjCkVzNx.exe	108
PID 2140 wrote to memory of 4804	2140	XfEL9gZqjCkVzNx.exe	108
PID 2140 wrote to memory of 4804	2140	XfEL9gZqjCkVzNx.exe	108
PID 2140 wrote to memory of 3584	2140	XfEL9gZqjCkVzNx.exe	109
PID 2140 wrote to memory of 3584	2140	XfEL9gZqjCkVzNx.exe	109
PID 2140 wrote to memory of 3584	2140	XfEL9gZqjCkVzNx.exe	109
PID 3584 wrote to memory of 4252	3584	RrlONtxP0c2b3n5.exe	110
PID 3584 wrote to memory of 4252	3584	RrlONtxP0c2b3n5.exe	110
PID 3584 wrote to memory of 4252	3584	RrlONtxP0c2b3n5.exe	110
PID 3584 wrote to memory of 1076	3584	RrlONtxP0c2b3n5.exe	111
PID 3584 wrote to memory of 1076	3584	RrlONtxP0c2b3n5.exe	111
PID 3584 wrote to memory of 1076	3584	RrlONtxP0c2b3n5.exe	111
PID 3584 wrote to memory of 1580	3584	RrlONtxP0c2b3n5.exe	112
PID 3584 wrote to memory of 1580	3584	RrlONtxP0c2b3n5.exe	112
PID 3584 wrote to memory of 1580	3584	RrlONtxP0c2b3n5.exe	112
PID 1580 wrote to memory of 2156	1580	oycA1uvD2n4m5W7.exe	113
PID 1580 wrote to memory of 2156	1580	oycA1uvD2n4m5W7.exe	113
PID 1580 wrote to memory of 2156	1580	oycA1uvD2n4m5W7.exe	113
PID 1580 wrote to memory of 492	1580	oycA1uvD2n4m5W7.exe	114
PID 1580 wrote to memory of 492	1580	oycA1uvD2n4m5W7.exe	114
PID 1580 wrote to memory of 492	1580	oycA1uvD2n4m5W7.exe	114
PID 1580 wrote to memory of 228	1580	oycA1uvD2n4m5W7.exe	115
PID 1580 wrote to memory of 228	1580	oycA1uvD2n4m5W7.exe	115
PID 1580 wrote to memory of 228	1580	oycA1uvD2n4m5W7.exe	115
PID 228 wrote to memory of 2076	228	cF4pH5sQJdLgZhC.exe	116
PID 228 wrote to memory of 2076	228	cF4pH5sQJdLgZhC.exe	116
PID 228 wrote to memory of 2076	228	cF4pH5sQJdLgZhC.exe	116
PID 228 wrote to memory of 3112	228	cF4pH5sQJdLgZhC.exe	117
PID 228 wrote to memory of 3112	228	cF4pH5sQJdLgZhC.exe	117
PID 228 wrote to memory of 3112	228	cF4pH5sQJdLgZhC.exe	117
PID 228 wrote to memory of 832	228	cF4pH5sQJdLgZhC.exe	118

C:\Users\Admin\AppData\Local\Temp\45bfc0de3c78454b8c80623b7de965b0.exe
"C:\Users\Admin\AppData\Local\Temp\45bfc0de3c78454b8c80623b7de965b0.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\svhostu.exe
  "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
  2⤵
  - Executes dropped EXE
  PID:1308
- C:\Users\Admin\AppData\Roaming\svhostu.exe
  C:\Users\Admin\AppData\Roaming\svhostu.exe auto
  2⤵
  - Executes dropped EXE
  PID:3992
- C:\Windows\SysWOW64\bH6dWK7fR9TqUeI.exe
  C:\Windows\system32\bH6dWK7fR9TqUeI.exe 5985C:\Users\Admin\AppData\Local\Temp\45bfc0de3c78454b8c80623b7de965b0.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\SysWOW64\GcS2ibD3pGaHdKf.exe
    C:\Windows\system32\GcS2ibD3pGaHdKf.exe 5985C:\Windows\SysWOW64\bH6dWK7fR9TqUeI.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\hS1ibD3pn4Q6W7R.exe
      C:\Windows\system32\hS1ibD3pn4Q6W7R.exe 5985C:\Windows\SysWOW64\GcS2ibD3pGaHdKf.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4312
    - - C:\Windows\SysWOW64\mS1ibD3on4Q6W7R.exe
        
        C:\Windows\system32\mS1ibD3on4Q6W7R.exe 5985C:\Windows\SysWOW64\hS1ibD3pn4Q6W7R.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4664
      - C:\Windows\SysWOW64\RpmG5aQJ6E8R9Yw.exe
        
        C:\Windows\system32\RpmG5aQJ6E8R9Yw.exe 5985C:\Windows\SysWOW64\mS1ibD3on4Q6W7R.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\DA1uvD2on4m5W7.exe
        
        C:\Windows\system32\DA1uvD2on4m5W7.exe 5985C:\Windows\SysWOW64\RpmG5aQJ6E8R9Yw.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4628
        
        C:\Windows\SysWOW64\UxA1uvD2oFpHsJd.exe
        
        C:\Windows\system32\UxA1uvD2oFpHsJd.exe 5985C:\Windows\SysWOW64\DA1uvD2on4m5W7.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:5064
        
        C:\Windows\SysWOW64\KEXwUVelOtPySiD.exe
        
        C:\Windows\system32\KEXwUVelOtPySiD.exe 5985C:\Windows\SysWOW64\UxA1uvD2oFpHsJd.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\SysWOW64\XfEL9gZqjCkVzNx.exe
        
        C:\Windows\system32\XfEL9gZqjCkVzNx.exe 5985C:\Windows\SysWOW64\KEXwUVelOtPySiD.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        11⤵
        Executes dropped EXE
        
        PID:4804
        
        C:\Windows\SysWOW64\RrlONtxP0c2b3n5.exe
        
        C:\Windows\system32\RrlONtxP0c2b3n5.exe 5985C:\Windows\SysWOW64\XfEL9gZqjCkVzNx.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        12⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        12⤵
        Executes dropped EXE
        
        PID:1076
        
        C:\Windows\SysWOW64\oycA1uvD2n4m5W7.exe
        
        C:\Windows\system32\oycA1uvD2n4m5W7.exe 5985C:\Windows\SysWOW64\RrlONtxP0c2b3n5.exe
        12⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        13⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        13⤵
        Executes dropped EXE
        
        PID:492
        
        C:\Windows\SysWOW64\cF4pH5sQJdLgZhC.exe
        
        C:\Windows\system32\cF4pH5sQJdLgZhC.exe 5985C:\Windows\SysWOW64\oycA1uvD2n4m5W7.exe
        13⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        14⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        14⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Windows\SysWOW64\NcA1uvD2oFpHsJ.exe
        
        C:\Windows\system32\NcA1uvD2oFpHsJ.exe 5985C:\Windows\SysWOW64\cF4pH5sQJdLgZhC.exe
        14⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        15⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        15⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\pCwkrzONtAuSiFp.exe
        
        C:\Windows\system32\pCwkrzONtAuSiFp.exe 5985C:\Windows\SysWOW64\NcA1uvD2oFpHsJ.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        16⤵
        Executes dropped EXE
        
        PID:3588
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        16⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SysWOW64\DA0ucS2ib3n5Qd.exe
        
        C:\Windows\system32\DA0ucS2ib3n5Qd.exe 5985C:\Windows\SysWOW64\pCwkrzONtAuSiFp.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        17⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        17⤵
        Executes dropped EXE
        
        PID:5036
        
        C:\Windows\SysWOW64\QF3pmG5aQ6E8RhX.exe
        
        C:\Windows\system32\QF3pmG5aQ6E8RhX.exe 5985C:\Windows\SysWOW64\DA0ucS2ib3n5Qd.exe
        17⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        18⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        18⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\TS2obF3pm5Q6.exe
        
        C:\Windows\system32\TS2obF3pm5Q6.exe 5985C:\Windows\SysWOW64\QF3pmG5aQ6E8RhX.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        19⤵
        Executes dropped EXE
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        19⤵
        Executes dropped EXE
        
        PID:3940
        
        C:\Windows\SysWOW64\RonG4amH6W7E9Tq.exe
        
        C:\Windows\system32\RonG4amH6W7E9Tq.exe 5985C:\Windows\SysWOW64\TS2obF3pm5Q6.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        20⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        20⤵
        Executes dropped EXE
        
        PID:2412
        
        C:\Windows\SysWOW64\JcA1ivD2oFaH.exe
        
        C:\Windows\system32\JcA1ivD2oFaH.exe 5985C:\Windows\SysWOW64\RonG4amH6W7E9Tq.exe
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        21⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        21⤵
        Executes dropped EXE
        
        PID:2876
        
        C:\Windows\SysWOW64\yqjYCekIVzN.exe
        
        C:\Windows\system32\yqjYCekIVzN.exe 5985C:\Windows\SysWOW64\JcA1ivD2oFaH.exe
        21⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        22⤵
        Executes dropped EXE
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        22⤵
        Executes dropped EXE
        
        PID:4984
        
        C:\Windows\SysWOW64\xxA1uvS2oFpGsJd.exe
        
        C:\Windows\system32\xxA1uvS2oFpGsJd.exe 5985C:\Windows\SysWOW64\yqjYCekIVzN.exe
        22⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\svhostu.exe
        
        "C:\Users\Admin\AppData\Local\Temp\svhostu.exe"
        23⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 472
        24⤵
        Program crash
        
        PID:3212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 472
        24⤵
        Program crash
        
        PID:2844
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        23⤵
        Executes dropped EXE
        
        PID:2328
        
        C:\Windows\SysWOW64\c3pnGaH6dKfLhXj.exe
        
        C:\Windows\system32\c3pnGaH6dKfLhXj.exe 5985C:\Windows\SysWOW64\xxA1uvS2oFpGsJd.exe
        23⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        24⤵
        Executes dropped EXE
        
        PID:3096
        
        C:\Windows\SysWOW64\ZzONxA0uSoFp.exe
        
        C:\Windows\system32\ZzONxA0uSoFp.exe 5985C:\Windows\SysWOW64\c3pnGaH6dKfLhXj.exe
        24⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        25⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\A5QJ7dEK8RqYwUr.exe
        
        C:\Windows\system32\A5QJ7dEK8RqYwUr.exe 5985C:\Windows\SysWOW64\ZzONxA0uSoFp.exe
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        26⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\fsWJ7fEL9TqYeIz.exe
        
        C:\Windows\system32\fsWJ7fEL9TqYeIz.exe 5985C:\Windows\SysWOW64\A5QJ7dEK8RqYwUr.exe
        26⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        27⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Windows\SysWOW64\mUCelIBtzN.exe
        
        C:\Windows\system32\mUCelIBtzN.exe 5985C:\Windows\SysWOW64\fsWJ7fEL9TqYeIz.exe
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        28⤵
        Executes dropped EXE
        
        PID:184
        
        C:\Windows\SysWOW64\pELTZqhCkVlNx0c.exe
        
        C:\Windows\system32\pELTZqhCkVlNx0c.exe 5985C:\Windows\SysWOW64\mUCelIBtzN.exe
        28⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        29⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SysWOW64\VYCwkIVrO.exe
        
        C:\Windows\system32\VYCwkIVrO.exe 5985C:\Windows\SysWOW64\pELTZqhCkVlNx0c.exe
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:4540
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        30⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Windows\SysWOW64\j0uS2bD3pGaHdKf.exe
        
        C:\Windows\system32\j0uS2bD3pGaHdKf.exe 5985C:\Windows\SysWOW64\VYCwkIVrO.exe
        30⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        31⤵
        Executes dropped EXE
        
        PID:4384
        
        C:\Windows\SysWOW64\shYXwkUVrOtPuS.exe
        
        C:\Windows\system32\shYXwkUVrOtPuS.exe 5985C:\Windows\SysWOW64\j0uS2bD3pGaHdKf.exe
        31⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        32⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\Z8gRZ9hYXkVlBx0.exe
        
        C:\Windows\system32\Z8gRZ9hYXkVlBx0.exe 5985C:\Windows\SysWOW64\shYXwkUVrOtPuS.exe
        32⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        33⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\pXqjYCekI.exe
        
        C:\Windows\system32\pXqjYCekI.exe 5985C:\Windows\SysWOW64\Z8gRZ9hYXkVlBx0.exe
        33⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe
        
        C:\Users\Admin\AppData\Roaming\svhostu.exe auto
        34⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\TCekIVrzOyAuSoF.exe
        
        C:\Windows\system32\TCekIVrzOyAuSoF.exe 5985C:\Windows\SysWOW64\pXqjYCekI.exe
        34⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        
        PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5064 -ip 5064
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svhostu.exe

Filesize
102KB

MD5
fad6e8ca8aa03b5624074d912d9ccf64

SHA1
264ae840c5cd9229e3bef74fe99d77fb5ddd1b8c

SHA256
12bad1d6ec0a7efe918ce1d6f32a9e15c2631361eff9e807f2d97cd29cb36daf

SHA512
b318a2c79e9c3b823e601b4d16b692cd2370d7f75b74aa909b0ee91c0fe3ccded180a3028756dd2a0ce7c16c5ebd9a73ee523d2a6666c69826193e237fc14d20

Download Submit
C:\Windows\SysWOW64\DA1uvD2on4m5W7.exe

Filesize
1.2MB

MD5
cb3615ff34c7899ca7a3940de014d6a2

SHA1
178ba180307394ab3f96c7b3aa49a1ca7d586f75

SHA256
7958f1a019eeabf9b90eaac6c012a58d606e9796b928cb94c121e75fc129b92e

SHA512
808f2b91d2a33166d10dc849efc60b879102ac95dd594739a63a577b208478efcea20164d642e94c8a7db523bb0d36ea205de01505798997edfddc3e2d560104

Download Submit
C:\Windows\SysWOW64\bH6dWK7fR9TqUeI.exe

Filesize
1.8MB

MD5
45bfc0de3c78454b8c80623b7de965b0

SHA1
e71476d4d3bff61d46c3999753d8e943c49d93d9

SHA256
cb971daad25ad430dd577b291694f096bb0b1a98cfc0482993ec30b69aa089df

SHA512
2d55abc2fef301061152da11be3ca05f2903c437db8fe023516a1e09242bb2aa4e9c13ca03337187a327727ea4fc1f1f8c7faaca8ed27248ff88a89eefff1b71

Download Submit
memory/184-333-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/184-334-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/184-335-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/228-143-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/492-120-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/492-121-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/520-185-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/832-145-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/832-165-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/916-338-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/916-348-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/1056-193-0x0000000000520000-0x0000000000620000-memory.dmp

Filesize
1024KB

Download
memory/1056-196-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1076-106-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1076-105-0x00000000006C0000-0x00000000007C0000-memory.dmp

Filesize
1024KB

Download
memory/1216-279-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/1216-266-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/1256-347-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1256-343-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/1308-37-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-14-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-18-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/1308-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1308-63-0x0000000000580000-0x0000000000680000-memory.dmp

Filesize
1024KB

Download
memory/1580-125-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/1640-166-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1640-161-0x0000000000790000-0x0000000000890000-memory.dmp

Filesize
1024KB

Download
memory/1708-205-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/1708-224-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/1772-186-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1772-181-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/1920-153-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1920-154-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1920-157-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1936-215-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/1936-216-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2076-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2076-135-0x0000000000700000-0x0000000000800000-memory.dmp

Filesize
1024KB

Download
memory/2076-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2140-85-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2156-116-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2156-113-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/2204-1-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2204-21-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2204-0-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2204-4-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2328-292-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2328-293-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2412-249-0x00000000006A0000-0x00000000007A0000-memory.dmp

Filesize
1024KB

Download
memory/2412-250-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2492-306-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2556-232-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2556-230-0x0000000000480000-0x0000000000580000-memory.dmp

Filesize
1024KB

Download
memory/2560-252-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2560-239-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2564-309-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2564-308-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/2704-314-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2704-315-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2704-320-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2712-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2712-273-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2740-317-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/2876-263-0x00000000006D0000-0x00000000007D0000-memory.dmp

Filesize
1024KB

Download
memory/2876-267-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3096-299-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3096-298-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/3112-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3112-140-0x0000000000440000-0x0000000000540000-memory.dmp

Filesize
1024KB

Download
memory/3292-289-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/3400-32-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/3400-28-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/3428-50-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/3492-260-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3492-258-0x00000000006B0000-0x00000000007B0000-memory.dmp

Filesize
1024KB

Download
memory/3584-103-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/3584-87-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/3588-173-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3588-174-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3588-177-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3940-236-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3940-235-0x0000000000560000-0x0000000000660000-memory.dmp

Filesize
1024KB

Download
memory/3992-15-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3992-16-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/3992-44-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3992-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3992-62-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/4252-96-0x0000000000600000-0x0000000000700000-memory.dmp

Filesize
1024KB

Download
memory/4252-97-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4312-39-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4340-326-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/4340-328-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4376-68-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4376-72-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4572-265-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4572-253-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4628-56-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4628-52-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4664-40-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4664-45-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4716-225-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4716-238-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4756-327-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4756-319-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4784-222-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4784-220-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4784-221-0x0000000000670000-0x0000000000770000-memory.dmp

Filesize
1024KB

Download
memory/4800-337-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4804-82-0x0000000000690000-0x0000000000790000-memory.dmp

Filesize
1024KB

Download
memory/4804-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4804-81-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4920-26-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/4984-278-0x0000000000630000-0x0000000000730000-memory.dmp

Filesize
1024KB

Download
memory/4984-280-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4992-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4992-244-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/5036-206-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/5036-200-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/5052-291-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/5052-301-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/5064-286-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/5064-66-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/5064-318-0x00000000004B0000-0x00000000005B0000-memory.dmp

Filesize
1024KB

Download
memory/5064-203-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download
memory/5064-58-0x0000000000400000-0x00000000008AE000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads