db60a40b0bc2d3859f22e3eebe43a768ea8f877399ee70c6be29be31adce0f90

Analysis

max time kernel
147s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2b08cf4d25da3dcaf917b383d31945c.exe
Size

319KB
MD5

c2b08cf4d25da3dcaf917b383d31945c
SHA1

47242dfd910361e34e9a3e7af4567f1c0b928d3d
SHA256

db60a40b0bc2d3859f22e3eebe43a768ea8f877399ee70c6be29be31adce0f90
SHA512

216fbb719c3de1debb64d4ad12edd0cdb7ae5fbb77b62950de416b261dce454d4678337280c0a99422ca572dd38660dbdcd7064be61d4b5298cf06871134130b
SSDEEP

6144:OqDHRi0GjGzvFHlp4PlXj4IyqrQ///NR5fLYG3eujPQ///NR5f:OqDxi5jGp7YxxC/NcZ7/N

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohcaoajg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c2b08cf4d25da3dcaf917b383d31945c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndhipoob.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qodlkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mofglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aigchgkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aecaidjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c2b08cf4d25da3dcaf917b383d31945c.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncmfqkdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Leimip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpmapm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Leimip32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aecaidjl.exe

Executes dropped EXE 25 IoCs

pid	Process
2680	Jcmafj32.exe
2928	Kfpgmdog.exe
2720	Knmhgf32.exe
2756	Leimip32.exe
2652	Lmikibio.exe
2480	Mpmapm32.exe
672	Mabgcd32.exe
2940	Mofglh32.exe
744	Ndhipoob.exe
2012	Ncmfqkdj.exe
1276	Odeiibdq.exe
1388	Ohcaoajg.exe
2808	Oegbheiq.exe
1800	Pngphgbf.exe
2556	Pmlmic32.exe
2396	Pfgngh32.exe
940	Qodlkm32.exe
2128	Aecaidjl.exe
2080	Aaloddnn.exe
696	Aigchgkh.exe
1628	Bmhideol.exe
1060	Biojif32.exe
916	Bajomhbl.exe
3012	Bhhpeafc.exe
1716	Cacacg32.exe

Loads dropped DLL 54 IoCs

pid	Process
2088	c2b08cf4d25da3dcaf917b383d31945c.exe
2088	c2b08cf4d25da3dcaf917b383d31945c.exe
2680	Jcmafj32.exe
2680	Jcmafj32.exe
2928	Kfpgmdog.exe
2928	Kfpgmdog.exe
2720	Knmhgf32.exe
2720	Knmhgf32.exe
2756	Leimip32.exe
2756	Leimip32.exe
2652	Lmikibio.exe
2652	Lmikibio.exe
2480	Mpmapm32.exe
2480	Mpmapm32.exe
672	Mabgcd32.exe
672	Mabgcd32.exe
2940	Mofglh32.exe
2940	Mofglh32.exe
744	Ndhipoob.exe
744	Ndhipoob.exe
2012	Ncmfqkdj.exe
2012	Ncmfqkdj.exe
1276	Odeiibdq.exe
1276	Odeiibdq.exe
1388	Ohcaoajg.exe
1388	Ohcaoajg.exe
2808	Oegbheiq.exe
2808	Oegbheiq.exe
1800	Pngphgbf.exe
1800	Pngphgbf.exe
2556	Pmlmic32.exe
2556	Pmlmic32.exe
2396	Pfgngh32.exe
2396	Pfgngh32.exe
940	Qodlkm32.exe
940	Qodlkm32.exe
2128	Aecaidjl.exe
2128	Aecaidjl.exe
2080	Aaloddnn.exe
2080	Aaloddnn.exe
696	Aigchgkh.exe
696	Aigchgkh.exe
1628	Bmhideol.exe
1628	Bmhideol.exe
1060	Biojif32.exe
1060	Biojif32.exe
916	Bajomhbl.exe
916	Bajomhbl.exe
3012	Bhhpeafc.exe
3012	Bhhpeafc.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Lmikibio.exe	Leimip32.exe
File created	C:\Windows\SysWOW64\Mabgcd32.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Qodlkm32.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Knmhgf32.exe	Kfpgmdog.exe
File opened for modification	C:\Windows\SysWOW64\Mofglh32.exe	Mabgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Kfpgmdog.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Ohcaoajg.exe	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Hpggbq32.dll	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Odeiibdq.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Ndhipoob.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Biojif32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Bhhpeafc.exe
File opened for modification	C:\Windows\SysWOW64\Mpmapm32.exe	Lmikibio.exe
File opened for modification	C:\Windows\SysWOW64\Leimip32.exe	Knmhgf32.exe
File created	C:\Windows\SysWOW64\Mpmapm32.exe	Lmikibio.exe
File created	C:\Windows\SysWOW64\Olahaplc.dll	Lmikibio.exe
File created	C:\Windows\SysWOW64\Llcohjcg.dll	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Ohcaoajg.exe	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pngphgbf.exe
File opened for modification	C:\Windows\SysWOW64\Jcmafj32.exe	c2b08cf4d25da3dcaf917b383d31945c.exe
File created	C:\Windows\SysWOW64\Oegbheiq.exe	Ohcaoajg.exe
File opened for modification	C:\Windows\SysWOW64\Pngphgbf.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Cjakbabj.dll	Pngphgbf.exe
File created	C:\Windows\SysWOW64\Odeiibdq.exe	Ncmfqkdj.exe
File created	C:\Windows\SysWOW64\Ifbgfk32.dll	Oegbheiq.exe
File opened for modification	C:\Windows\SysWOW64\Pfgngh32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Nacehmno.dll	Pfgngh32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Mmdgdp32.dll	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Bhhpeafc.exe
File created	C:\Windows\SysWOW64\Mifnekbi.dll	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Leimip32.exe
File opened for modification	C:\Windows\SysWOW64\Mabgcd32.exe	Mpmapm32.exe
File opened for modification	C:\Windows\SysWOW64\Ncmfqkdj.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Oegbheiq.exe	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Fhbhji32.dll	Biojif32.exe
File created	C:\Windows\SysWOW64\Epecke32.dll	c2b08cf4d25da3dcaf917b383d31945c.exe
File created	C:\Windows\SysWOW64\Bhhpeafc.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Bajomhbl.exe	Biojif32.exe
File created	C:\Windows\SysWOW64\Lmcmdd32.dll	Ohcaoajg.exe
File created	C:\Windows\SysWOW64\Jodjlm32.dll	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Kgdjgo32.dll	Ndhipoob.exe
File created	C:\Windows\SysWOW64\Knmhgf32.exe	Kfpgmdog.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Leimip32.exe
File created	C:\Windows\SysWOW64\Aaloddnn.exe	Aecaidjl.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Aigchgkh.exe
File created	C:\Windows\SysWOW64\Kfpgmdog.exe	Jcmafj32.exe
File created	C:\Windows\SysWOW64\Emfmdo32.dll	Qodlkm32.exe
File created	C:\Windows\SysWOW64\Pngphgbf.exe	Oegbheiq.exe
File created	C:\Windows\SysWOW64\Ekebnbmn.dll	Mabgcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ndhipoob.exe	Mofglh32.exe
File created	C:\Windows\SysWOW64\Egnhob32.dll	Mofglh32.exe
File created	C:\Windows\SysWOW64\Ncmfqkdj.exe	Ndhipoob.exe
File opened for modification	C:\Windows\SysWOW64\Aigchgkh.exe	Aaloddnn.exe
File opened for modification	C:\Windows\SysWOW64\Bajomhbl.exe	Biojif32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhpeafc.exe	Bajomhbl.exe
File created	C:\Windows\SysWOW64\Mofglh32.exe	Mabgcd32.exe
File created	C:\Windows\SysWOW64\Mfkbpc32.dll	Odeiibdq.exe
File created	C:\Windows\SysWOW64\Pfgngh32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Qodlkm32.exe	Pfgngh32.exe
File opened for modification	C:\Windows\SysWOW64\Biojif32.exe	Bmhideol.exe
File created	C:\Windows\SysWOW64\Jcmafj32.exe	c2b08cf4d25da3dcaf917b383d31945c.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	1716	WerFault.exe	52

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pngphgbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbhji32.dll"	Biojif32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll"	Kfpgmdog.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaloddnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdjgo32.dll"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biojif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oegbheiq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll"	Pfgngh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfgngh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcmafj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahaplc.dll"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndhipoob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pngphgbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaloddnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bajomhbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll"	c2b08cf4d25da3dcaf917b383d31945c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkfalhjp.dll"	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll"	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Leimip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbgfk32.dll"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Bhhpeafc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c2b08cf4d25da3dcaf917b383d31945c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Leimip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mofglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migkgb32.dll"	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmcmdd32.dll"	Ohcaoajg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhpeoj32.dll"	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpanl32.dll"	Aigchgkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdgdp32.dll"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jcmafj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Knmhgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekebnbmn.dll"	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oegbheiq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnablp32.dll"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qodlkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodjlm32.dll"	Bajomhbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	c2b08cf4d25da3dcaf917b383d31945c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mabgcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mabgcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncmfqkdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkbpc32.dll"	Odeiibdq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpmapm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odeiibdq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhpeafc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aecaidjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c2b08cf4d25da3dcaf917b383d31945c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c2b08cf4d25da3dcaf917b383d31945c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kfpgmdog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Knmhgf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2680	2088	c2b08cf4d25da3dcaf917b383d31945c.exe	28
PID 2088 wrote to memory of 2680	2088	c2b08cf4d25da3dcaf917b383d31945c.exe	28
PID 2088 wrote to memory of 2680	2088	c2b08cf4d25da3dcaf917b383d31945c.exe	28
PID 2088 wrote to memory of 2680	2088	c2b08cf4d25da3dcaf917b383d31945c.exe	28
PID 2680 wrote to memory of 2928	2680	Jcmafj32.exe	29
PID 2680 wrote to memory of 2928	2680	Jcmafj32.exe	29
PID 2680 wrote to memory of 2928	2680	Jcmafj32.exe	29
PID 2680 wrote to memory of 2928	2680	Jcmafj32.exe	29
PID 2928 wrote to memory of 2720	2928	Kfpgmdog.exe	30
PID 2928 wrote to memory of 2720	2928	Kfpgmdog.exe	30
PID 2928 wrote to memory of 2720	2928	Kfpgmdog.exe	30
PID 2928 wrote to memory of 2720	2928	Kfpgmdog.exe	30
PID 2720 wrote to memory of 2756	2720	Knmhgf32.exe	31
PID 2720 wrote to memory of 2756	2720	Knmhgf32.exe	31
PID 2720 wrote to memory of 2756	2720	Knmhgf32.exe	31
PID 2720 wrote to memory of 2756	2720	Knmhgf32.exe	31
PID 2756 wrote to memory of 2652	2756	Leimip32.exe	32
PID 2756 wrote to memory of 2652	2756	Leimip32.exe	32
PID 2756 wrote to memory of 2652	2756	Leimip32.exe	32
PID 2756 wrote to memory of 2652	2756	Leimip32.exe	32
PID 2652 wrote to memory of 2480	2652	Lmikibio.exe	33
PID 2652 wrote to memory of 2480	2652	Lmikibio.exe	33
PID 2652 wrote to memory of 2480	2652	Lmikibio.exe	33
PID 2652 wrote to memory of 2480	2652	Lmikibio.exe	33
PID 2480 wrote to memory of 672	2480	Mpmapm32.exe	34
PID 2480 wrote to memory of 672	2480	Mpmapm32.exe	34
PID 2480 wrote to memory of 672	2480	Mpmapm32.exe	34
PID 2480 wrote to memory of 672	2480	Mpmapm32.exe	34
PID 672 wrote to memory of 2940	672	Mabgcd32.exe	35
PID 672 wrote to memory of 2940	672	Mabgcd32.exe	35
PID 672 wrote to memory of 2940	672	Mabgcd32.exe	35
PID 672 wrote to memory of 2940	672	Mabgcd32.exe	35
PID 2940 wrote to memory of 744	2940	Mofglh32.exe	36
PID 2940 wrote to memory of 744	2940	Mofglh32.exe	36
PID 2940 wrote to memory of 744	2940	Mofglh32.exe	36
PID 2940 wrote to memory of 744	2940	Mofglh32.exe	36
PID 744 wrote to memory of 2012	744	Ndhipoob.exe	37
PID 744 wrote to memory of 2012	744	Ndhipoob.exe	37
PID 744 wrote to memory of 2012	744	Ndhipoob.exe	37
PID 744 wrote to memory of 2012	744	Ndhipoob.exe	37
PID 2012 wrote to memory of 1276	2012	Ncmfqkdj.exe	38
PID 2012 wrote to memory of 1276	2012	Ncmfqkdj.exe	38
PID 2012 wrote to memory of 1276	2012	Ncmfqkdj.exe	38
PID 2012 wrote to memory of 1276	2012	Ncmfqkdj.exe	38
PID 1276 wrote to memory of 1388	1276	Odeiibdq.exe	39
PID 1276 wrote to memory of 1388	1276	Odeiibdq.exe	39
PID 1276 wrote to memory of 1388	1276	Odeiibdq.exe	39
PID 1276 wrote to memory of 1388	1276	Odeiibdq.exe	39
PID 1388 wrote to memory of 2808	1388	Ohcaoajg.exe	40
PID 1388 wrote to memory of 2808	1388	Ohcaoajg.exe	40
PID 1388 wrote to memory of 2808	1388	Ohcaoajg.exe	40
PID 1388 wrote to memory of 2808	1388	Ohcaoajg.exe	40
PID 2808 wrote to memory of 1800	2808	Oegbheiq.exe	41
PID 2808 wrote to memory of 1800	2808	Oegbheiq.exe	41
PID 2808 wrote to memory of 1800	2808	Oegbheiq.exe	41
PID 2808 wrote to memory of 1800	2808	Oegbheiq.exe	41
PID 1800 wrote to memory of 2556	1800	Pngphgbf.exe	42
PID 1800 wrote to memory of 2556	1800	Pngphgbf.exe	42
PID 1800 wrote to memory of 2556	1800	Pngphgbf.exe	42
PID 1800 wrote to memory of 2556	1800	Pngphgbf.exe	42
PID 2556 wrote to memory of 2396	2556	Pmlmic32.exe	43
PID 2556 wrote to memory of 2396	2556	Pmlmic32.exe	43
PID 2556 wrote to memory of 2396	2556	Pmlmic32.exe	43
PID 2556 wrote to memory of 2396	2556	Pmlmic32.exe	43

C:\Users\Admin\AppData\Local\Temp\c2b08cf4d25da3dcaf917b383d31945c.exe
"C:\Users\Admin\AppData\Local\Temp\c2b08cf4d25da3dcaf917b383d31945c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\SysWOW64\Jcmafj32.exe
  C:\Windows\system32\Jcmafj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\Kfpgmdog.exe
    C:\Windows\system32\Kfpgmdog.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\Knmhgf32.exe
      C:\Windows\system32\Knmhgf32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Leimip32.exe
        
        C:\Windows\system32\Leimip32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Mpmapm32.exe
        
        C:\Windows\system32\Mpmapm32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Mabgcd32.exe
        
        C:\Windows\system32\Mabgcd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Mofglh32.exe
        
        C:\Windows\system32\Mofglh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\SysWOW64\Ndhipoob.exe
        
        C:\Windows\system32\Ndhipoob.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Ncmfqkdj.exe
        
        C:\Windows\system32\Ncmfqkdj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\SysWOW64\Odeiibdq.exe
        
        C:\Windows\system32\Odeiibdq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\SysWOW64\Ohcaoajg.exe
        
        C:\Windows\system32\Ohcaoajg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Oegbheiq.exe
        
        C:\Windows\system32\Oegbheiq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\SysWOW64\Pngphgbf.exe
        
        C:\Windows\system32\Pngphgbf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Pfgngh32.exe
        
        C:\Windows\system32\Pfgngh32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Qodlkm32.exe
        
        C:\Windows\system32\Qodlkm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\Aecaidjl.exe
        
        C:\Windows\system32\Aecaidjl.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2128
        
        C:\Windows\SysWOW64\Aaloddnn.exe
        
        C:\Windows\system32\Aaloddnn.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Aigchgkh.exe
        
        C:\Windows\system32\Aigchgkh.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:696
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Biojif32.exe
        
        C:\Windows\system32\Biojif32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Bajomhbl.exe
        
        C:\Windows\system32\Bajomhbl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Bhhpeafc.exe
        
        C:\Windows\system32\Bhhpeafc.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3012
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        26⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1716 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaloddnn.exe

Filesize
319KB

MD5
f4da001e2cc22fbfea530a40bc5a9bda

SHA1
9a4b8be36b71c08161bd67aa711d2a2faf2dac29

SHA256
8868a6d2bce913f422ba77354dc5df4a1b5b04ca2196b3afb8a3adab11d0de83

SHA512
6c15a0040a8ff14d1ed71e4c32a42c1bd2a76bbb49aead565aa862f1db3bdecebaba11935c5023630628ccdcdf3c466ef5c672490e292fce200f4d683f534aa6

Download Submit
C:\Windows\SysWOW64\Aecaidjl.exe

Filesize
319KB

MD5
69305fc3ffc13a90ee285098d9976c58

SHA1
b2a707d8aac1e33df159610ef00bfc7a968aa2ed

SHA256
01eec7f08c41e0eedf7872bea577c93847aec08b063030e8313e562ae4ad3479

SHA512
f9a2408471d481ecb0f24eec3dc7b559bbc183e917897b99be5b1e4e8c2a6174a896a521736f01e77bf9db8c685c549f9e2759f30bcd26362841eed7e00259e2

Download Submit
C:\Windows\SysWOW64\Aigchgkh.exe

Filesize
319KB

MD5
6db1668b55a1074f72764434b9e9d8c5

SHA1
634a3be4abce4e06194c8a2c9157fa1f536376dd

SHA256
48e72b56a7e04d07163e5f1f3674fb4fd5e040d851ea3132dbb2abffd8b56f86

SHA512
d5a986c5c1b014a5eecb7a94f509a45350600e8c93015eb71432816026c1437e2db4ace37df0b8fb67ed3b7335f828d6bb6e24a876beb62b17378d0f3a4d001c

Download Submit
C:\Windows\SysWOW64\Bajomhbl.exe

Filesize
319KB

MD5
ac1fec9960ac52624a655fe1b9809d85

SHA1
3e21468a29fb7d473d9c6717503b967519b95d07

SHA256
6c127e5d86b482b71fe3028ad0ad9ddf7b648dec800198c03716b33dd842362c

SHA512
5519eb485702541a239f8714ac623c5bd31bc20f80a26083a7ba34f2133200c33d406ed2e31b45589b7d19e9a8fc84ca8531456fd2cd23d95b4104d28a4ce634

Download Submit
C:\Windows\SysWOW64\Bhhpeafc.exe

Filesize
319KB

MD5
337c7681f771c6560e74205d7de62263

SHA1
70ee366ce56fb106f2fa446a2804b30bf6c80b67

SHA256
ae744986bbafdabfb84af3a60c94d6080092e3f24b49dcd0e2f4ab69472f9b3b

SHA512
a177deab9bc139b9f76b774fc89c1f5d6b199d11dd7e48b13177fc2df27b0c65a02826c03ed5bede6d36125485ca0bf1e410938ad53374f384d7a332b1b10577

Download Submit
C:\Windows\SysWOW64\Biojif32.exe

Filesize
319KB

MD5
23573e74c9ed4bcebd55cf9d9cc36532

SHA1
3e8dc5f63292be0f01ddc21a7e5185da0bcef093

SHA256
21f86214de2c6c0bc00054bcf76d10c87aa7305a2fa92d6a9d7dd6937ef27faa

SHA512
91bd68299b4d264898220a8843f68a1f37089881e0613245d07e2b9dd004a66a013486f7979e02ea9e1b240cad240b91b34567b02914c2998c2fac5c0dd00ac1

Download Submit
C:\Windows\SysWOW64\Bmhideol.exe

Filesize
319KB

MD5
c7fe61425f41fc221643bf8d8ec4bfdd

SHA1
01e44fa67616b1e6164d78226cc151c6c7269559

SHA256
6a41bfbb0e6a09796cdb83d7b6df91892bd79139af7c98d5a1857e719356dea5

SHA512
c71f3617e4549a34101d1f5c7a90460edb5d85de6239c58d5713137d14a98e46b11ab9265896028224231672235ff7bdcbc13f5ae8d83d55e7a505e43677a5c5

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
319KB

MD5
f5b56de187d3e49f5973b6ab37a6be8b

SHA1
5f8bc9de647bc544521846b42d795baf3c909714

SHA256
1cacc71f09f0470bdd4386caf70b17c497b45611a654b36e075cb05e06b968ac

SHA512
6ee655bd8c2a0aaa7176a4fada8044d0ecf36534610cdc8ba97119195e66b7a210d0b87139e101402a2061cd79e67235426a3d47703ceb53f881dd709aeb15bd

Download Submit
C:\Windows\SysWOW64\Mpmapm32.exe

Filesize
319KB

MD5
28e541d2ed8f1cf20f4c32dacffab25e

SHA1
88d9cc1e53d9b28215b6ebff2b91992c9f848bd8

SHA256
d559e0f5fe75a68a4ef55c24f28345d32403452e221a44eda98dc4ebcee49a7d

SHA512
0772958167f6bb62fe289693405d8e4bc423d64ad347b330e3524b10c4db80c41023ec17e261f5055dc5169a1bd381b1d05be71bbed195361b70686e4592af22

Download Submit
C:\Windows\SysWOW64\Ohcaoajg.exe

Filesize
319KB

MD5
67a6f10e8ebbb07ec5aae351b0de8242

SHA1
bcb415c4da3a6243971a7064a9387444a4bab8e3

SHA256
c4ad67f723e3ba934a0f26b953be10150890a288a521693b471cbd8ba87a01d8

SHA512
3b4db7ba01d726799d18915e660e5d85c07042c9ba20b4b0dfddc725a05c27744135fc0b99ece809d93ef1ded12c3946463ef473fdc8e43d8767192ab398a744

Download Submit
C:\Windows\SysWOW64\Pfgngh32.exe

Filesize
319KB

MD5
dd8bf5ce9a2f7bb65eec7dc480579b6d

SHA1
ee18eacd6c1099f2dadaa7dac1e676bdfd87f579

SHA256
d4a48c07208dda918bc9ff744439b6b9545203e472da15f136233220fe48b97d

SHA512
c1d86f38e9f9ce025d9beb0cfaaf6d951fbb23e45ac15fa03de1738046f85abc5eb9022f89fd5e0909a3f306bc18da5fbd346c6b25a0d71aa155a9df181af023

Download Submit
C:\Windows\SysWOW64\Qodlkm32.exe

Filesize
319KB

MD5
6b6c5148592c5a5a81464d6741ef23d2

SHA1
83853de4e785ba022fc6a57ae691df2ca34ed71f

SHA256
f66a5fc1348ca0b248086eaa3935ab8fe7eb8a21a960c889510de74ec51404be

SHA512
621d9cd057e7a0a9f52dec38596bbea84960b2cf38d67a3ae055f44a26c70b65a30aac995dd2066ecc6e159cfd4f43349bb4e32cfd4fb6d5b42094d5c6180c1a

Download Submit
\Windows\SysWOW64\Jcmafj32.exe

Filesize
319KB

MD5
9a7ece0a61b6a0825fe20d863f5611ce

SHA1
bf351621eb3ebfe355eaa51173c624361576292a

SHA256
f097c3645a2bc31eddcc5f424342ce4be9df21963aac75d48160edeb52720c09

SHA512
ffbeedfa2ca52de4b0152bd028c536be7f215b49f1dabed7d4b48b82ee51d23c77b21ed3f54173c85d6c8c4905bafe11417b050e6b3c9cb567a08d6d2b86ca7a

Download Submit
\Windows\SysWOW64\Kfpgmdog.exe

Filesize
319KB

MD5
ed22476fb64803fc9be813541fc6c741

SHA1
5aaea5a75cf614a87a408870880b91c7a9b89d4d

SHA256
ee1f9fcfa114e0833b06113eeb39fbe918adfb03b1f4a50cc33e45da8484ab3b

SHA512
134deac80cdebc662b777e49c5910152ac9fc7065902bd1443269ef909d26f870b175351c0d6bce3746c94837a77a90d292e29554890068a5ff469c4d1dc7c23

Download Submit
\Windows\SysWOW64\Knmhgf32.exe

Filesize
319KB

MD5
1cd3163e56117beb09217eabe9c037a3

SHA1
2446fefb116a2e67d794638e66567d3f5cd3e783

SHA256
cb28f45c28ae13b888a4def2a862789b7899ab28ae7e079ed77b6f10684c21b7

SHA512
221ab0556cb339b118a9e455cf1a99dd3ac3bdc6fbde4b468f9706f09967732a6551a826edb4c352e356b2289916f4cfb76a689d8ca06ffea0f7f2db72c213ec

Download Submit
\Windows\SysWOW64\Leimip32.exe

Filesize
319KB

MD5
9dcffae9476b80d8cca259172384f7bf

SHA1
74fa52ac38209f2a854a8945a9af8d2ad9e14983

SHA256
8b2253cddb2bf9a6c7997317660bca4c47c14a9f5456af9e325e6f687bd7e4c0

SHA512
2473d5d817a37e220ed95a2284270cb35d9e169c1d6ae10da3ae3fdcbb36424784534ae7d25b288cdaa19397a4af9a05e92f38c8ea33790b389805d88e64399b

Download Submit
\Windows\SysWOW64\Lmikibio.exe

Filesize
319KB

MD5
3bb93f2e141e88355406ba157131e59e

SHA1
47fce6a5a08b4bb618474cd1bedcadac190d82b5

SHA256
7b296bd5e344a6a4f00f5a20f665b87706806adc1a63a23299be758a6c1face6

SHA512
ee10311acdd34437f2a05e2f869b86573a60c8f60fa68d16e96230dec9f19af18b5731ce48365dee1e8af58ec07301889c06e6643fe2d8badce6af8a6134e969

Download Submit
\Windows\SysWOW64\Mabgcd32.exe

Filesize
319KB

MD5
8dc346ced0ece44bcef9bb88c60b23ab

SHA1
e956c494b930465781ee206f1439e75258614677

SHA256
fecece3aecc97a3bdd0fcc31242dbbd0d16fdd03d7e8ef53e199c7622642042b

SHA512
a3bba61a8a4097751c0da70cc43fbbc9b8c60aba54fd8d8e73a7ba3cf7493fac8dd1d05b1e67f144dfdf7f523f782ed3496720312a31a938069ad5932765eb73

Download Submit
\Windows\SysWOW64\Mofglh32.exe

Filesize
319KB

MD5
944711cb0ff2b0f177137505cd570494

SHA1
4cf117aaa613ddc51e71a589178b57caad936ba4

SHA256
9aa26ea4bfff629b489c8a7a6f9e159a8c6b88dfa1906c35c25c86fd57bcb422

SHA512
682020a4b2b5f8b8f7ce0d74a3b79bbad2c986d1dc24bbe206dcbcb6226b39ba8f1b37a70c543caad345ea7a7d4d44bfd29c6f47b584f2a5105399efb238c1f1

Download Submit
\Windows\SysWOW64\Ncmfqkdj.exe

Filesize
319KB

MD5
6567aa1d4c28f00393ac216fa686bded

SHA1
c1d3fdda6a0b558cf093e6267c87c5f1ae255922

SHA256
d62086f8d5c2418cf6133dc84be8ea5ec8bdf156a3ebb61bddf18cad7bcb6d1e

SHA512
44c40448ec66cb5ab0aa47712d0dc797f8112eafdc8a71a111724ba4265b63d62589b8f8b674e818049b90f20cc7bd9563276374a4df5d9e15474becac8a625c

Download Submit
\Windows\SysWOW64\Ndhipoob.exe

Filesize
319KB

MD5
7508a4bcd55340a1b4d525115ad3cec9

SHA1
98cd3fc83e0b39369c1e1dc598c0d7472d7421f6

SHA256
6675a818f47134000f5090455ad5bc0b3822e976cef4e46db398d95b8acb6d09

SHA512
507f9c707c6282cb517364b2ecc0544b10fdf1c4e37a3916a87af275e04c92ad42880bc85ccdfd9910dea1b006797d10da673f925cb539aec7a5a39e32bcda12

Download Submit
\Windows\SysWOW64\Odeiibdq.exe

Filesize
319KB

MD5
e5c18995649359df68769a9ac0fb24ba

SHA1
718f886f08a9e525c76c2c2f5b8e3f990758da22

SHA256
d2973c03153bece14a2ec93d01b9a78abdee5df79df56acdd2df095bec702aca

SHA512
f84ccd48b6230eb5c7aa8784e06fc4601634066400e7b91c93b5e0ca07593c3ddc79d93fb5b7ab4734840ea1aae9a9750b212c5117628e24d9356c5a78458e79

Download Submit
\Windows\SysWOW64\Oegbheiq.exe

Filesize
319KB

MD5
e2eb5aee30f4cb0c750ad99f37a030a6

SHA1
335346ca33e95d8e8947464419e946abdb8afaee

SHA256
61a862635b5607fad3c0ef89559c76436049bd487ebf5504a3cb5888e7c11f4c

SHA512
e0aeb7b76308a8c177abadabd59ac83745c6071d65021587c998949a5462df120222a867f259cd852663294878e654769eeff74a873cb31a504b85f591bc1372

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
319KB

MD5
a69fe164805491585a5a56201065cfc8

SHA1
0ca76c2bccf6f8db579fb55606d54261fb11ffb1

SHA256
48082226d485badbea6f073f5ef52bc96d03ab010cc9df08d1aa30a4891dba5b

SHA512
197f6245b343300afda1ef95fbb637893bbea75b77491c29e264a75307807aa12798efbdabd27ac9c2c048060d37aab65c3df0ca7af2d121d349699f7a2b3e76

Download Submit
\Windows\SysWOW64\Pngphgbf.exe

Filesize
319KB

MD5
84f45acf612082de60ef0091db77ba3a

SHA1
50304ecdbddd535de7edb0ee3a4b1f09ac9310de

SHA256
fe120af8e722ef72db77fa7e5110906f66b5c8817c08da268450a9584efec981

SHA512
26a270dbc066f96d7480461d6acbf970d555592b226441fc48b5372523ee8fb06920d139a3321eefce6ff0c461d77585737ce2d03e859390cd9e72bb40009915

Download Submit
memory/672-93-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/672-384-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/696-265-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/696-269-0x00000000002C0000-0x0000000000311000-memory.dmp

Filesize
324KB

Download
memory/696-279-0x00000000002C0000-0x0000000000311000-memory.dmp

Filesize
324KB

Download
memory/744-126-0x0000000000460000-0x00000000004B1000-memory.dmp

Filesize
324KB

Download
memory/744-118-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/744-388-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/916-294-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/916-299-0x00000000003A0000-0x00000000003F1000-memory.dmp

Filesize
324KB

Download
memory/916-300-0x00000000003A0000-0x00000000003F1000-memory.dmp

Filesize
324KB

Download
memory/940-239-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/940-233-0x00000000002E0000-0x0000000000331000-memory.dmp

Filesize
324KB

Download
memory/940-222-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1060-282-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1060-288-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/1060-293-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/1276-392-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1276-144-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1388-394-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1388-169-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/1628-281-0x0000000000460000-0x00000000004B1000-memory.dmp

Filesize
324KB

Download
memory/1628-280-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1628-283-0x0000000000460000-0x00000000004B1000-memory.dmp

Filesize
324KB

Download
memory/1716-311-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1800-201-0x0000000001C00000-0x0000000001C51000-memory.dmp

Filesize
324KB

Download
memory/1800-195-0x0000000001C00000-0x0000000001C51000-memory.dmp

Filesize
324KB

Download
memory/1800-183-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1800-398-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2012-390-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2080-255-0x0000000000290000-0x00000000002E1000-memory.dmp

Filesize
324KB

Download
memory/2080-256-0x0000000000290000-0x00000000002E1000-memory.dmp

Filesize
324KB

Download
memory/2080-249-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2088-6-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2088-12-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2088-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2088-366-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2128-250-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2128-247-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2128-248-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2396-224-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2396-223-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2396-221-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2480-382-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2480-86-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2556-220-0x00000000002D0000-0x0000000000321000-memory.dmp

Filesize
324KB

Download
memory/2556-202-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2556-210-0x00000000002D0000-0x0000000000321000-memory.dmp

Filesize
324KB

Download
memory/2652-74-0x00000000002F0000-0x0000000000341000-memory.dmp

Filesize
324KB

Download
memory/2652-380-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-368-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2680-19-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2720-372-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2720-46-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2756-65-0x0000000000460000-0x00000000004B1000-memory.dmp

Filesize
324KB

Download
memory/2756-378-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2808-396-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2928-370-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2928-32-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2928-40-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/2940-386-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3012-312-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/3012-310-0x0000000000220000-0x0000000000271000-memory.dmp

Filesize
324KB

Download
memory/3012-309-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads