2332a62570b5ba6abfbd172b53a26aec1574200a8d19c36d93a1fb6240539db7

Analysis

max time kernel
119s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2024, 23:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3236d61b8f45dce0ba3439e8b0825900N.exe
Size

711KB
MD5

3236d61b8f45dce0ba3439e8b0825900
SHA1

2350470c402ba9c0a3782e302b84a56710bf23e7
SHA256

2332a62570b5ba6abfbd172b53a26aec1574200a8d19c36d93a1fb6240539db7
SHA512

31a9c4870c04eafae2c92d0d2b753a13a3a838e7c88dbd3e3d74c5b4a3c998e43a5823bd402b958c14c0f175672e72ba406e1c7839bc1ca3514c743fabc3bf85
SSDEEP

12288:SHkdjDv6Do9TWdcOHokfO8mJ785MmGQAA2A5NIQXgVlqqGGzMGe0Mge+supHGSh8:skxXOb1mxJ4ymGw5NBQVlqAg0Mg/HGSy

Score

10^/10

evasion persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 8 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O07171Z\\TuxO07171Z.exe\""	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70263\\Ja301264bLay.com\""	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O07171Z\\TuxO07171Z.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70263\\Ja301264bLay.com\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O07171Z\\TuxO07171Z.exe\""	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70263\\Ja301264bLay.com\""	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\O07171Z\\TuxO07171Z.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe , \"C:\\Windows\\M70263\\Ja301264bLay.com\""	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	service.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe

Disables RegEdit via registry modification 4 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	EmangEloh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 16 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	service.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	3236d61b8f45dce0ba3439e8b0825900N.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	3236d61b8f45dce0ba3439e8b0825900N.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	EmangEloh.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\sql.cmd	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1948	service.exe
3324	smss.exe
4960	EmangEloh.exe
4092	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55172178316l.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z517 = "C:\\Windows\\sa-208622.exe"	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55172178316l.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z517 = "C:\\Windows\\sa-208622.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55172178316l.exe"	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z517 = "C:\\Windows\\sa-208622.exe"	EmangEloh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\T1702622TT4 = "C:\\Windows\\system32\\55172178316l.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\T71Z517 = "C:\\Windows\\sa-208622.exe"	winlogon.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\m:	EmangEloh.exe
File opened (read-only)	\??\q:	EmangEloh.exe
File opened (read-only)	\??\v:	EmangEloh.exe
File opened (read-only)	\??\w:	EmangEloh.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\y:	EmangEloh.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\g:	service.exe
File opened (read-only)	\??\q:	service.exe
File opened (read-only)	\??\N:	EmangEloh.exe
File opened (read-only)	\??\w:	service.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\e:	service.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\s:	EmangEloh.exe
File opened (read-only)	\??\l:	winlogon.exe
File opened (read-only)	\??\z:	winlogon.exe
File opened (read-only)	\??\h:	winlogon.exe
File opened (read-only)	\??\x:	winlogon.exe
File opened (read-only)	\??\y:	winlogon.exe
File opened (read-only)	\??\s:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\e:	EmangEloh.exe
File opened (read-only)	\??\l:	EmangEloh.exe
File opened (read-only)	\??\g:	winlogon.exe
File opened (read-only)	\??\j:	service.exe
File opened (read-only)	\??\r:	service.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\z:	service.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\h:	EmangEloh.exe
File opened (read-only)	\??\k:	EmangEloh.exe
File opened (read-only)	\??\r:	EmangEloh.exe
File opened (read-only)	\??\x:	service.exe
File opened (read-only)	\??\j:	EmangEloh.exe
File opened (read-only)	\??\o:	EmangEloh.exe
File opened (read-only)	\??\i:	winlogon.exe
File opened (read-only)	\??\k:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\s:	winlogon.exe
File opened (read-only)	\??\t:	winlogon.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\x:	EmangEloh.exe
File opened (read-only)	\??\z:	EmangEloh.exe
File opened (read-only)	\??\w:	winlogon.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\g:	EmangEloh.exe
File opened (read-only)	\??\m:	winlogon.exe
File opened (read-only)	\??\u:	service.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\i:	EmangEloh.exe
File opened (read-only)	\??\p:	EmangEloh.exe
File opened (read-only)	\??\p:	service.exe
File opened (read-only)	\??\g:	smss.exe

Drops file in System32 directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\X04678go\Z551721cie.cmd	3236d61b8f45dce0ba3439e8b0825900N.exe
File created	\??\c:\Windows\SysWOW64\IME\SHARED\New mp3 BaraT !! .exe	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\TutoriaL HAcking .exe	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Lagu - Server .scr	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	3236d61b8f45dce0ba3439e8b0825900N.exe
File opened for modification	C:\Windows\SysWOW64\551721078316l.exe	3236d61b8f45dce0ba3439e8b0825900N.exe
File created	C:\Windows\SysWOW64\55172178316l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\SHARED\New mp3 BaraT !! .exe	service.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe	service.exe
File opened for modification	C:\Windows\SysWOW64\55172178316l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\X04678go\Z551721cie.cmd	smss.exe
File created	C:\Windows\SysWOW64\55172178316l.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\55172178316l.exe	winlogon.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File created	C:\Windows\SysWOW64\55172178316l.exe	smss.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\THe Best Ungu .scr	service.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\Lagu - Server .scr	service.exe
File opened for modification	C:\Windows\SysWOW64\X04678go\Z551721cie.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\X04678go\Z551721cie.cmd	EmangEloh.exe
File opened for modification	C:\Windows\SysWOW64\55172178316l.exe	EmangEloh.exe
File opened for modification	C:\Windows\SysWOW64\X04678go\Z551721cie.cmd	winlogon.exe
File created	\??\c:\Windows\SysWOW64\IME\SHARED\Titip Folder Jangan DiHapus .exe	service.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\TutoriaL HAcking .exe	service.exe
File opened for modification	C:\Windows\SysWOW64\55172178316l.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	EmangEloh.exe
File created	C:\Windows\SysWOW64\55172178316l.exe	EmangEloh.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\THe Best Ungu .scr	service.exe
File created	C:\Windows\SysWOW64\551721078316l.exe	3236d61b8f45dce0ba3439e8b0825900N.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\TutoriaL HAcking .exe	service.exe

Drops file in Program Files directory 27 IoCs

description	ioc	Process
File created	\??\c:\Program Files\dotnet\shared\Lagu - Server .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Blink 182 .exe	service.exe
File created	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TutoriaL HAcking .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Love Song .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\Updates\Download\THe Best Ungu .scr	service.exe
File created	\??\c:\Program Files\Windows Sidebar\Shared Gadgets\Love Song .scr	service.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Lagu - Server .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Love Song .scr	service.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\Lagu - Server .scr	service.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Program Files (x86)\Google\Update\Download\Norman virus Control 5.18 .exe	service.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Download\Norman virus Control 5.18 .exe	service.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Windows Vista setup .scr	service.exe
File opened for modification	\??\c:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\TutoriaL HAcking .exe	service.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\Windows Vista setup .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\Blink 182 .exe	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\Gallery .scr	service.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Shared Gadgets\Love Song .scr	service.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Windows Vista setup .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Updates\Download\THe Best Ungu .scr	service.exe
File created	\??\c:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Windows Vista setup .scr	service.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\TutoriaL HAcking .exe	service.exe
File created	\??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RaHasIA .exe	service.exe
File opened for modification	\??\c:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RaHasIA .exe	service.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Lagu - Server .scr	service.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Windows Vista setup .scr	service.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\M70263\Ja301264bLay.com	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.153_none_e23c926e32d07dc1\New mp3 BaraT !! .exe	service.exe
File created	C:\Windows\[TheMoonlight].txt	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_965fbcbe4df0916b\Love Song .scr	service.exe
File opened for modification	C:\Windows\M70263\EmangEloh.exe	service.exe
File opened for modification	C:\Windows\sa-208622.exe	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx4-_dataperfcou.._shared12_neutral_h_b03f5f7f11d50a3a_4.0.15805.0_none_24ed4511dcc3019e\Norman virus Control 5.18 .exe	service.exe
File created	C:\Windows\Ti78316ta.exe	winlogon.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_f07d4fae3e8e883f\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1_none_19d22204a1f3fcaf\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_de-de_bc04d4fbcc35e12a\Windows Vista setup .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_en-us_310bfb76047869ad\Titip Folder Jangan DiHapus .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.1_it-it_bdb6c49fcea35732\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-m..ineshared.resources_31bf3856ad364e35_10.0.19041.1_en-us_99ddc8ce8d3d6dac\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_10.0.19041.1_none_ee94ce5eb8e7e4c0\Data DosenKu .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx-aspnet-sharedcomponents_b03f5f7f11d50a3a_4.0.19041.1_none_47ca94859da20b28\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_10.0.19041.1_none_1c68775f06732f08\Blink 182 .exe	service.exe
File opened for modification	C:\Windows\M70263\EmangEloh.exe	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_10.0.19041.1_it-it_e79b400a6df5fd2c\TutoriaL HAcking .exe	service.exe
File opened for modification	C:\Windows\Ti078316ta.exe	3236d61b8f45dce0ba3439e8b0825900N.exe
File created	C:\Windows\M70263\smss.exe	smss.exe
File created	\??\c:\Windows\ServiceProfiles\NetworkService\Downloads\Titip Folder Jangan DiHapus .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-nfs-shared_31bf3856ad364e35_10.0.19041.1_none_bd731e5b85dd203e\Windows Vista setup .scr	service.exe
File created	C:\Windows\sa-208622.exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\Windows Vista setup .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\Blink 182 .exe	service.exe
File opened for modification	C:\Windows\Ti78316ta.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_es-es_211cf1c632a13851\Titip Folder Jangan DiHapus .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.1_none_5d54c0aac5c3c12c\Lagu - Server .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-service-shared_31bf3856ad364e35_10.0.19041.1151_none_fbdc4c5f677dc2ec\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.1_none_8d8f6812a0c99533\RaHasIA .exe	service.exe
File created	C:\Windows\M70263\smss.exe	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..ore-shareexperience_31bf3856ad364e35_10.0.19041.964_none_1c1a193f5bfcf136\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-s..mon-sharedresources_31bf3856ad364e35_10.0.19041.1_none_5417ea1f38dbb76b\RaHasIA .exe	service.exe
File opened for modification	C:\Windows\M70263\Ja301264bLay.com	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_3d0229d17c310f10\Titip Folder Jangan DiHapus .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_10.0.19041.1_none_8c0b126c198fcf70\Lagu - Server .scr	service.exe
File opened for modification	C:\Windows\M70263	smss.exe
File created	\??\c:\Windows\ServiceProfiles\LocalService\Downloads\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_10.0.19041.1_none_4c786ae2f508e6d5\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_10.0.19041.1_none_fad1fa0072ef4a3a\Love Song .scr	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\Data DosenKu .exe	service.exe
File opened for modification	C:\Windows\M70263\Ja301264bLay.com	3236d61b8f45dce0ba3439e8b0825900N.exe
File opened for modification	C:\Windows\M70263\EmangEloh.exe	winlogon.exe
File created	\??\c:\Windows\Downloaded Program Files\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.207_none_e2f2dfeea7fa44fc\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-u..ell-sharedutilities_31bf3856ad364e35_10.0.19041.1_none_813610a8a9b59e0a\THe Best Ungu .scr	service.exe
File created	\??\c:\Windows\InputMethod\SHARED\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.1_none_24f622f1fc5a3f3c\Blink 182 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.84_none_85259eff919b7c9e\Norman virus Control 5.18 .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\Gallery .scr	service.exe
File opened for modification	C:\Windows\M70263	EmangEloh.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_abfc9db6c377b91f\New mp3 BaraT !! .exe	service.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\Windows Vista setup .scr	service.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..ces-ime-eashared-lm_31bf3856ad364e35_10.0.19041.1_none_4756d423b091d10b\Titip Folder Jangan DiHapus .exe	service.exe
File opened for modification	C:\Windows\M70263\EmangEloh.exe	3236d61b8f45dce0ba3439e8b0825900N.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\RaHasIA .exe	service.exe
File created	\??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_10.0.19041.1_none_15ba23b7f1e2b81b\Data DosenKu .exe	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	EmangEloh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	EmangEloh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	3236d61b8f45dce0ba3439e8b0825900N.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4008	3236d61b8f45dce0ba3439e8b0825900N.exe
1948	service.exe
3324	smss.exe
4960	EmangEloh.exe
4092	winlogon.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 1948	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	85
PID 4008 wrote to memory of 1948	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	85
PID 4008 wrote to memory of 1948	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	85
PID 4008 wrote to memory of 3324	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	86
PID 4008 wrote to memory of 3324	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	86
PID 4008 wrote to memory of 3324	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	86
PID 4008 wrote to memory of 4960	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	88
PID 4008 wrote to memory of 4960	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	88
PID 4008 wrote to memory of 4960	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	88
PID 4008 wrote to memory of 4092	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	89
PID 4008 wrote to memory of 4092	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	89
PID 4008 wrote to memory of 4092	4008	3236d61b8f45dce0ba3439e8b0825900N.exe	89

C:\Users\Admin\AppData\Local\Temp\3236d61b8f45dce0ba3439e8b0825900N.exe
"C:\Users\Admin\AppData\Local\Temp\3236d61b8f45dce0ba3439e8b0825900N.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O07171Z\service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O07171Z\service.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1948
- C:\Windows\M70263\smss.exe
  "C:\Windows\M70263\smss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3324
- C:\Windows\M70263\EmangEloh.exe
  "C:\Windows\M70263\EmangEloh.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4960
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O07171Z\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O07171Z\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\O07171Z\service.exe

Filesize
711KB

MD5
3236d61b8f45dce0ba3439e8b0825900

SHA1
2350470c402ba9c0a3782e302b84a56710bf23e7

SHA256
2332a62570b5ba6abfbd172b53a26aec1574200a8d19c36d93a1fb6240539db7

SHA512
31a9c4870c04eafae2c92d0d2b753a13a3a838e7c88dbd3e3d74c5b4a3c998e43a5823bd402b958c14c0f175672e72ba406e1c7839bc1ca3514c743fabc3bf85

Download Submit
C:\Windows\[TheMoonlight].txt

Filesize
109B

MD5
68c7836c8ff19e87ca33a7959a2bdff5

SHA1
cc5d0205bb71c10bbed22fe47e59b1f6817daab7

SHA256
883b19ec550f7ddb1e274a83d58d66c771ab10fefd136bab79483f2eb84e7fec

SHA512
3656005148788ed7ac8f5b5f8f6f4736c2dc4a94771291170e61666beb81e63be2a1a0f2913233b0e3f12ddfa7f1e89da9cd8323306413395ee78b2ece7fbfe8

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/1948-240-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-54-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1948-244-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-250-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-262-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1948-236-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3324-58-0x00000000001E0000-0x00000000001E2000-memory.dmp

Filesize
8KB

Download
memory/3324-251-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3324-237-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3324-57-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/3324-241-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4008-157-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4008-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4008-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4092-281-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-243-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-239-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-247-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-277-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-138-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-253-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-273-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-257-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-261-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-269-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4092-265-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4960-120-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4960-252-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4960-238-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4960-119-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads