34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38.exe
Size

50KB
MD5

cc2f99f534bed7b4338723119be4a546
SHA1

d07848b7cde8a815ef558f170206581b89c91ccc
SHA256

34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38
SHA512

85542775a3c8e23d0dcd9e0fa4751a073e53ebd2b7026faca497bdabc5b8b95a045f17e193b5f3ea2868ee337a9e081e2381e277bab927daf72fc8f3c109e558
SSDEEP

768:Cv7RBmwSG/Lr9dwqoKlV1eqrEXqVnzbgOeZh4hSdWUAohfjiT5edip:CvlCGjrZRlV1eCE6uJZh4hq0qfWT5M4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1660	esmgsq.exe
4604	esmgsq.exe
2124	esmgsq.exe
4588	esmgsq.exe
4824	esmgsq.exe
3308	esmgsq.exe
820	esmgsq.exe
2440	esmgsq.exe
1576	esmgsq.exe
5056	esmgsq.exe
3668	esmgsq.exe
3144	esmgsq.exe
4192	esmgsq.exe
3172	esmgsq.exe
4940	esmgsq.exe
3916	esmgsq.exe
3276	esmgsq.exe
1976	esmgsq.exe
5080	esmgsq.exe
316	hrl85BB.tmp
4020	esmgsq.exe
4388	esmgsq.exe
1184	esmgsq.exe
2744	esmgsq.exe
4360	esmgsq.exe
3756	esmgsq.exe
4968	esmgsq.exe
4824	esmgsq.exe
4616	esmgsq.exe
2736	esmgsq.exe
4556	esmgsq.exe
1936	esmgsq.exe
1944	esmgsq.exe
3520	esmgsq.exe
3668	esmgsq.exe
2444	esmgsq.exe
1200	esmgsq.exe
4508	esmgsq.exe
2404	esmgsq.exe
4108	esmgsq.exe
4764	esmgsq.exe
3276	esmgsq.exe
2924	esmgsq.exe
4644	esmgsq.exe
3120	esmgsq.exe
4388	esmgsq.exe
4500	esmgsq.exe
3636	esmgsq.exe
4248	esmgsq.exe
3760	esmgsq.exe
1604	esmgsq.exe
5116	esmgsq.exe
3768	esmgsq.exe
3284	esmgsq.exe
1464	esmgsq.exe
2436	esmgsq.exe
1964	esmgsq.exe
4028	esmgsq.exe
4048	esmgsq.exe
3144	esmgsq.exe
3988	esmgsq.exe
4312	esmgsq.exe
3176	esmgsq.exe
1920	esmgsq.exe

Loads dropped DLL 64 IoCs

pid	Process
1660	esmgsq.exe
4604	esmgsq.exe
2124	esmgsq.exe
4588	esmgsq.exe
4824	esmgsq.exe
3308	esmgsq.exe
820	esmgsq.exe
2440	esmgsq.exe
1576	esmgsq.exe
5056	esmgsq.exe
3668	esmgsq.exe
3144	esmgsq.exe
4192	esmgsq.exe
3172	esmgsq.exe
4940	esmgsq.exe
3916	esmgsq.exe
3276	esmgsq.exe
1976	esmgsq.exe
5080	esmgsq.exe
4020	esmgsq.exe
4388	esmgsq.exe
1184	esmgsq.exe
2744	esmgsq.exe
4360	esmgsq.exe
3756	esmgsq.exe
4968	esmgsq.exe
4824	esmgsq.exe
4616	esmgsq.exe
2736	esmgsq.exe
4556	esmgsq.exe
1936	esmgsq.exe
1944	esmgsq.exe
3520	esmgsq.exe
3668	esmgsq.exe
2444	esmgsq.exe
1200	esmgsq.exe
4508	esmgsq.exe
2404	esmgsq.exe
4108	esmgsq.exe
4764	esmgsq.exe
3276	esmgsq.exe
2924	esmgsq.exe
4644	esmgsq.exe
3120	esmgsq.exe
4388	esmgsq.exe
4500	esmgsq.exe
3636	esmgsq.exe
4248	esmgsq.exe
3760	esmgsq.exe
1604	esmgsq.exe
5116	esmgsq.exe
3768	esmgsq.exe
3284	esmgsq.exe
1464	esmgsq.exe
2436	esmgsq.exe
1964	esmgsq.exe
4028	esmgsq.exe
4048	esmgsq.exe
3144	esmgsq.exe
3988	esmgsq.exe
4312	esmgsq.exe
3176	esmgsq.exe
1920	esmgsq.exe
4512	esmgsq.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe
File opened for modification	C:\Windows\SysWOW64\hra8.dll	esmgsq.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\esmgsq.exe	34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38.exe
File created	C:\Windows\esmgsq.exe	34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2280	34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 316	5080	esmgsq.exe	104
PID 5080 wrote to memory of 316	5080	esmgsq.exe	104
PID 5080 wrote to memory of 316	5080	esmgsq.exe	104
PID 380 wrote to memory of 668	380	esmgsq.exe	159
PID 380 wrote to memory of 668	380	esmgsq.exe	159
PID 380 wrote to memory of 668	380	esmgsq.exe	159
PID 4528 wrote to memory of 4792	4528	esmgsq.exe	172
PID 4528 wrote to memory of 4792	4528	esmgsq.exe	172
PID 4528 wrote to memory of 4792	4528	esmgsq.exe	172
PID 1568 wrote to memory of 2064	1568	esmgsq.exe	206
PID 1568 wrote to memory of 2064	1568	esmgsq.exe	206
PID 1568 wrote to memory of 2064	1568	esmgsq.exe	206
PID 908 wrote to memory of 4444	908	esmgsq.exe	219
PID 908 wrote to memory of 4444	908	esmgsq.exe	219
PID 908 wrote to memory of 4444	908	esmgsq.exe	219
PID 3252 wrote to memory of 2656	3252	esmgsq.exe	242
PID 3252 wrote to memory of 2656	3252	esmgsq.exe	242
PID 3252 wrote to memory of 2656	3252	esmgsq.exe	242
PID 1712 wrote to memory of 1220	1712	esmgsq.exe	270
PID 1712 wrote to memory of 1220	1712	esmgsq.exe	270
PID 1712 wrote to memory of 1220	1712	esmgsq.exe	270
PID 940 wrote to memory of 5060	940	esmgsq.exe	291
PID 940 wrote to memory of 5060	940	esmgsq.exe	291
PID 940 wrote to memory of 5060	940	esmgsq.exe	291

C:\Users\Admin\AppData\Local\Temp\34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38.exe
"C:\Users\Admin\AppData\Local\Temp\34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
PID:2280

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4604

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4588

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4824

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3308

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1576

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5056

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3668

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3144

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4192

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3172

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4940

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3916

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3276

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\TEMP\hrl85BB.tmp
  C:\Windows\TEMP\hrl85BB.tmp
  2⤵
  - Executes dropped EXE
  PID:316

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4020

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4388

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4360

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3756

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4968

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4824

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4616

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4556

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3520

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3668

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2444

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1200

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4508

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4108

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4764

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3276

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4644

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3120

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4388

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4500

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3636

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4248

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3760

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:5116

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3768

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3284

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4028

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4048

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3144

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3988

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4312

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3176

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Loads dropped DLL
PID:4512

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3112

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3616

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3216

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3220

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4300

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:380
- C:\Windows\TEMP\hrlF5CB.tmp
  C:\Windows\TEMP\hrlF5CB.tmp
  2⤵
  PID:668

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:5044

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4360

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:5028

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:908

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4928

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2664

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3768

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3284

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2440

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1936

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:928

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\TEMP\hrl1077.tmp
  C:\Windows\TEMP\hrl1077.tmp
  2⤵
  PID:4792

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4648

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3928

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2372

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4936

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3740

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4788

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4044

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4820

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4228

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3160

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1660

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4140

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1712

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2100

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4144

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2156

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4560

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2668

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2024

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4636

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2772

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4268

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2260

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4088

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2532

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4772

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1292

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2496

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3196

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:220

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4108

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1640

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Windows\TEMP\hrl5967.tmp
  C:\Windows\TEMP\hrl5967.tmp
  2⤵
  PID:2064

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3140

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4020

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4084

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1704

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1680

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3488

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1916

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2100

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4144

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2156

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:5092

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:908
- C:\Windows\TEMP\hrl7422.tmp
  C:\Windows\TEMP\hrl7422.tmp
  2⤵
  PID:4444

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4596

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3348

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:5088

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4896

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1552

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3792

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3556

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4324

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3352

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4996

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2888

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3184

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4608

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1444

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1808

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3796

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1512

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2464

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2420

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2092

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2380

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\TEMP\hrlA489.tmp
  C:\Windows\TEMP\hrlA489.tmp
  2⤵
  PID:2656

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4908

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:5028

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1308

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1572

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1176

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:844

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4724

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1532

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4088

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2708

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3668

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4540

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3312

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4532

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3340

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3920

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1888

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2936

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4916

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4764

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1852

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3276

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3796

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2196

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3240

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1704

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Windows\TEMP\hrlE03A.tmp
  C:\Windows\TEMP\hrlE03A.tmp
  2⤵
  PID:1220

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3524

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:540

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3824

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3724

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:5028

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2060

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1572

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1792

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2344

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3264

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2260

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3680

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2532

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1516

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4416

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:5112

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:752

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3088

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4788

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:940
- C:\Windows\TEMP\hrlBFD.tmp
  C:\Windows\TEMP\hrlBFD.tmp
  2⤵
  PID:5060

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4296

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4776

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1152

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1808

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3120

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4716

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3220

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4632

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:380

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3688

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3960

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3612

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4860

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3512

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3388

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2664

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1924

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4844

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2440

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4060

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4052

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4528

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3956

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4540

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3352

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2204

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:3176

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4356

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1976

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4480

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1268

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:1852

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1968

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1116

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3796

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4600

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1456

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2744

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2524

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1760

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1916

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4568

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4628

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4616

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2020

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2468

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2456

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4328

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3200

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2440

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:1848

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4184

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:4648

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
- Drops file in System32 directory
PID:2244

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4532

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:4932

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:2836

C:\Windows\esmgsq.exe
C:\Windows\esmgsq.exe
1⤵
PID:3540

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RCX6225.tmp

Filesize
62KB

MD5
53b9ea8e96e1abb6d130b64e4bcf5e83

SHA1
f5dc98ba304bef8d2d796c23ec72f306aa3aaa42

SHA256
4cd9483a61487f49268c0265a17bc58adcb5769dae34ec4b5d9af767f07ebc7b

SHA512
745bc5553ca0d508ace1c080db11dbfa552f7f7ad5643df1c0dc62280ccb7c43657381913195e813f16611ff663bd70d59af560b4e22a2011f0f914115a90715

Download Submit
C:\Windows\SysWOW64\hra8.dll

Filesize
12KB

MD5
de61de242b5500304af17e4661100ea5

SHA1
ed6c1fce0696ce100a93f2d3cea83a0475947e4f

SHA256
3c373fde7222d1e3c5a13339d37f3b5752374210ae09974b4f17baa261c3b9a5

SHA512
b393464bfd694bb314cf9c8f3d19ab6750cc65d9e3506c1b91a8658a227e9f8614b1f65b8eaa7b7e844d7308b450e690627e3eb1a8101ca80917c62233d1473f

Download Submit
C:\Windows\esmgsq.exe

Filesize
50KB

MD5
cc2f99f534bed7b4338723119be4a546

SHA1
d07848b7cde8a815ef558f170206581b89c91ccc

SHA256
34841d3437f7c82d06bbf0b60bc1ee10a7b56472712f4c97dc904fe329025e38

SHA512
85542775a3c8e23d0dcd9e0fa4751a073e53ebd2b7026faca497bdabc5b8b95a045f17e193b5f3ea2868ee337a9e081e2381e277bab927daf72fc8f3c109e558

Download Submit
memory/2280-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download