5673883e15a8b20a89bbd04e798a6003f90229a73916cace756eccb4c80e89a5

Analysis

max time kernel
173s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2024 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eae8d38a64fa2aec792eabb2da2a799e.exe
Size

592KB
MD5

eae8d38a64fa2aec792eabb2da2a799e
SHA1

7db033f3c8179d0916106a8a37b3e1d146327d97
SHA256

5673883e15a8b20a89bbd04e798a6003f90229a73916cace756eccb4c80e89a5
SHA512

4ee217b370096dac8fdac12b2a77728dbb099e2792b847300e98993a0bc020fc6f63034e794680b711009c2c9d32bcceb7a0b1ba19757380a82912ed9cd6470c
SSDEEP

6144:a59wnW7ryG1RE8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqk9a5:a3wnW1a87g7/VycgE81lgxaa79y

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	eae8d38a64fa2aec792eabb2da2a799e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nhhdnf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pbhgoh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qbonoghb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ojhiogdd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaiqcnhg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mpeiie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nqfbpb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loofnccf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe

Executes dropped EXE 49 IoCs

pid	Process
3988	Loofnccf.exe
4828	Mpeiie32.exe
3964	Mqhfoebo.exe
4820	Nfgklkoc.exe
2184	Nhhdnf32.exe
4424	Nbbeml32.exe
1580	Ncbafoge.exe
3304	Nqfbpb32.exe
1260	Ookoaokf.exe
976	Ocihgnam.exe
776	Ojhiogdd.exe
3048	Pfojdh32.exe
3520	Pbekii32.exe
1796	Ppikbm32.exe
640	Pbhgoh32.exe
3656	Pjoppf32.exe
4388	Pmphaaln.exe
5044	Qamago32.exe
404	Qbonoghb.exe
3844	Qbajeg32.exe
1600	Apeknk32.exe
3460	Apjdikqd.exe
1960	Aaiqcnhg.exe
692	Afhfaddk.exe
3688	Bdlfjh32.exe
804	Biiobo32.exe
4160	Bdocph32.exe
2104	Bfmolc32.exe
4832	Bmggingc.exe
2484	Bmidnm32.exe
3816	Bdcmkgmm.exe
3684	Bfaigclq.exe
1584	Bpjmph32.exe
860	Cmnnimak.exe
4312	Cpljehpo.exe
792	Cienon32.exe
680	Cpogkhnl.exe
4408	Cgiohbfi.exe
4764	Cmbgdl32.exe
3132	Cdmoafdb.exe
400	Ciihjmcj.exe
868	Cpcpfg32.exe
3332	Cgmhcaac.exe
4920	Cmgqpkip.exe
4620	Cdaile32.exe
3588	Dgpeha32.exe
2080	Dinael32.exe
1848	Dphiaffa.exe
4800	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Hejeak32.dll	Pbekii32.exe
File created	C:\Windows\SysWOW64\Bpjmph32.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Qamago32.exe	Pmphaaln.exe
File opened for modification	C:\Windows\SysWOW64\Mpeiie32.exe	Loofnccf.exe
File created	C:\Windows\SysWOW64\Nqfbpb32.exe	Ncbafoge.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgnam.exe	Ookoaokf.exe
File created	C:\Windows\SysWOW64\Bdbbme32.dll	Cmnnimak.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Bmggingc.exe
File opened for modification	C:\Windows\SysWOW64\Cmgqpkip.exe	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Kjmgil32.dll	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Pbekii32.exe	Pfojdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Bfaigclq.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Dpifjj32.dll	Loofnccf.exe
File created	C:\Windows\SysWOW64\Qbajeg32.exe	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Aaiqcnhg.exe	Apjdikqd.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Ookoaokf.exe	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Nhhdnf32.exe
File created	C:\Windows\SysWOW64\Ppikbm32.exe	Pbekii32.exe
File created	C:\Windows\SysWOW64\Qbonoghb.exe	Qamago32.exe
File created	C:\Windows\SysWOW64\Ifncdb32.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Nhhdnf32.exe	Nfgklkoc.exe
File created	C:\Windows\SysWOW64\Bpldbefn.dll	Nqfbpb32.exe
File created	C:\Windows\SysWOW64\Cpogkhnl.exe	Cienon32.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cpljehpo.exe
File opened for modification	C:\Windows\SysWOW64\Cpogkhnl.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Loofnccf.exe	eae8d38a64fa2aec792eabb2da2a799e.exe
File created	C:\Windows\SysWOW64\Pbhgoh32.exe	Ppikbm32.exe
File opened for modification	C:\Windows\SysWOW64\Qbajeg32.exe	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Qgdcdg32.dll	Aaiqcnhg.exe
File created	C:\Windows\SysWOW64\Jmbpjm32.dll	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Emkbpmep.dll	Ncbafoge.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Cpcpfg32.exe
File created	C:\Windows\SysWOW64\Ilpgfc32.dll	Bdocph32.exe
File created	C:\Windows\SysWOW64\Nhhdnf32.exe	Nfgklkoc.exe
File opened for modification	C:\Windows\SysWOW64\Pbhgoh32.exe	Ppikbm32.exe
File created	C:\Windows\SysWOW64\Cohddjgl.dll	Pbhgoh32.exe
File created	C:\Windows\SysWOW64\Pmphaaln.exe	Pjoppf32.exe
File created	C:\Windows\SysWOW64\Ecfjqmbc.dll	Mqhfoebo.exe
File created	C:\Windows\SysWOW64\Apjdikqd.exe	Apeknk32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Dgpeha32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Enfhldel.dll	Qbonoghb.exe
File created	C:\Windows\SysWOW64\Afhfaddk.exe	Aaiqcnhg.exe
File created	C:\Windows\SysWOW64\Bfmolc32.exe	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Bdcmkgmm.exe	Bmidnm32.exe
File created	C:\Windows\SysWOW64\Cpljehpo.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Ncbafoge.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Pfojdh32.exe	Ojhiogdd.exe
File created	C:\Windows\SysWOW64\Acffllhk.dll	Pmphaaln.exe
File created	C:\Windows\SysWOW64\Epgldbkn.dll	Qamago32.exe
File created	C:\Windows\SysWOW64\Loofnccf.exe	eae8d38a64fa2aec792eabb2da2a799e.exe
File created	C:\Windows\SysWOW64\Mqhfoebo.exe	Mpeiie32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5148	4800	WerFault.exe	125

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmg32.dll"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deiljq32.dll"	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpcpfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fllhjc32.dll"	Ocihgnam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll"	Pfojdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblamanm.dll"	Ppikbm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	eae8d38a64fa2aec792eabb2da2a799e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnaqob32.dll"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pjoppf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acffllhk.dll"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nfgklkoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ncbafoge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll"	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgccelpk.dll"	Mpeiie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ojhiogdd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mliapk32.dll"	Apjdikqd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dphiaffa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cohddjgl.dll"	Pbhgoh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mqhfoebo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ncbafoge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ookoaokf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Cpljehpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ookoaokf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pbekii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ppikbm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	eae8d38a64fa2aec792eabb2da2a799e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mqhfoebo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pmphaaln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qbonoghb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifncdb32.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Loofnccf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Nhhdnf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kebkgjkg.dll"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qbajeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nqfbpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll"	Aaiqcnhg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 3988	5040	eae8d38a64fa2aec792eabb2da2a799e.exe	93
PID 5040 wrote to memory of 3988	5040	eae8d38a64fa2aec792eabb2da2a799e.exe	93
PID 5040 wrote to memory of 3988	5040	eae8d38a64fa2aec792eabb2da2a799e.exe	93
PID 3988 wrote to memory of 4828	3988	Loofnccf.exe	94
PID 3988 wrote to memory of 4828	3988	Loofnccf.exe	94
PID 3988 wrote to memory of 4828	3988	Loofnccf.exe	94
PID 4828 wrote to memory of 3964	4828	Mpeiie32.exe	150
PID 4828 wrote to memory of 3964	4828	Mpeiie32.exe	150
PID 4828 wrote to memory of 3964	4828	Mpeiie32.exe	150
PID 3964 wrote to memory of 4820	3964	Mqhfoebo.exe	95
PID 3964 wrote to memory of 4820	3964	Mqhfoebo.exe	95
PID 3964 wrote to memory of 4820	3964	Mqhfoebo.exe	95
PID 4820 wrote to memory of 2184	4820	Nfgklkoc.exe	96
PID 4820 wrote to memory of 2184	4820	Nfgklkoc.exe	96
PID 4820 wrote to memory of 2184	4820	Nfgklkoc.exe	96
PID 2184 wrote to memory of 4424	2184	Nhhdnf32.exe	100
PID 2184 wrote to memory of 4424	2184	Nhhdnf32.exe	100
PID 2184 wrote to memory of 4424	2184	Nhhdnf32.exe	100
PID 4424 wrote to memory of 1580	4424	Nbbeml32.exe	97
PID 4424 wrote to memory of 1580	4424	Nbbeml32.exe	97
PID 4424 wrote to memory of 1580	4424	Nbbeml32.exe	97
PID 1580 wrote to memory of 3304	1580	Ncbafoge.exe	98
PID 1580 wrote to memory of 3304	1580	Ncbafoge.exe	98
PID 1580 wrote to memory of 3304	1580	Ncbafoge.exe	98
PID 3304 wrote to memory of 1260	3304	Nqfbpb32.exe	99
PID 3304 wrote to memory of 1260	3304	Nqfbpb32.exe	99
PID 3304 wrote to memory of 1260	3304	Nqfbpb32.exe	99
PID 1260 wrote to memory of 976	1260	Ookoaokf.exe	101
PID 1260 wrote to memory of 976	1260	Ookoaokf.exe	101
PID 1260 wrote to memory of 976	1260	Ookoaokf.exe	101
PID 976 wrote to memory of 776	976	Ocihgnam.exe	149
PID 976 wrote to memory of 776	976	Ocihgnam.exe	149
PID 976 wrote to memory of 776	976	Ocihgnam.exe	149
PID 776 wrote to memory of 3048	776	Ojhiogdd.exe	102
PID 776 wrote to memory of 3048	776	Ojhiogdd.exe	102
PID 776 wrote to memory of 3048	776	Ojhiogdd.exe	102
PID 3048 wrote to memory of 3520	3048	Pfojdh32.exe	103
PID 3048 wrote to memory of 3520	3048	Pfojdh32.exe	103
PID 3048 wrote to memory of 3520	3048	Pfojdh32.exe	103
PID 3520 wrote to memory of 1796	3520	Pbekii32.exe	143
PID 3520 wrote to memory of 1796	3520	Pbekii32.exe	143
PID 3520 wrote to memory of 1796	3520	Pbekii32.exe	143
PID 1796 wrote to memory of 640	1796	Ppikbm32.exe	142
PID 1796 wrote to memory of 640	1796	Ppikbm32.exe	142
PID 1796 wrote to memory of 640	1796	Ppikbm32.exe	142
PID 640 wrote to memory of 3656	640	Pbhgoh32.exe	104
PID 640 wrote to memory of 3656	640	Pbhgoh32.exe	104
PID 640 wrote to memory of 3656	640	Pbhgoh32.exe	104
PID 3656 wrote to memory of 4388	3656	Pjoppf32.exe	105
PID 3656 wrote to memory of 4388	3656	Pjoppf32.exe	105
PID 3656 wrote to memory of 4388	3656	Pjoppf32.exe	105
PID 4388 wrote to memory of 5044	4388	Pmphaaln.exe	141
PID 4388 wrote to memory of 5044	4388	Pmphaaln.exe	141
PID 4388 wrote to memory of 5044	4388	Pmphaaln.exe	141
PID 5044 wrote to memory of 404	5044	Qamago32.exe	107
PID 5044 wrote to memory of 404	5044	Qamago32.exe	107
PID 5044 wrote to memory of 404	5044	Qamago32.exe	107
PID 404 wrote to memory of 3844	404	Qbonoghb.exe	106
PID 404 wrote to memory of 3844	404	Qbonoghb.exe	106
PID 404 wrote to memory of 3844	404	Qbonoghb.exe	106
PID 3844 wrote to memory of 1600	3844	Qbajeg32.exe	140
PID 3844 wrote to memory of 1600	3844	Qbajeg32.exe	140
PID 3844 wrote to memory of 1600	3844	Qbajeg32.exe	140
PID 1600 wrote to memory of 3460	1600	Apeknk32.exe	108

C:\Users\Admin\AppData\Local\Temp\eae8d38a64fa2aec792eabb2da2a799e.exe
"C:\Users\Admin\AppData\Local\Temp\eae8d38a64fa2aec792eabb2da2a799e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\SysWOW64\Loofnccf.exe
  C:\Windows\system32\Loofnccf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\Mpeiie32.exe
    C:\Windows\system32\Mpeiie32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\Mqhfoebo.exe
      C:\Windows\system32\Mqhfoebo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3964

C:\Windows\SysWOW64\Nfgklkoc.exe
C:\Windows\system32\Nfgklkoc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\Nhhdnf32.exe
  C:\Windows\system32\Nhhdnf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\Nbbeml32.exe
    C:\Windows\system32\Nbbeml32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4424

C:\Windows\SysWOW64\Ncbafoge.exe
C:\Windows\system32\Ncbafoge.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\Nqfbpb32.exe
  C:\Windows\system32\Nqfbpb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\Ookoaokf.exe
    C:\Windows\system32\Ookoaokf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\SysWOW64\Ocihgnam.exe
      C:\Windows\system32\Ocihgnam.exe
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:976
    - - C:\Windows\SysWOW64\Ojhiogdd.exe
        
        C:\Windows\system32\Ojhiogdd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776

C:\Windows\SysWOW64\Pfojdh32.exe
C:\Windows\system32\Pfojdh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\Pbekii32.exe
  C:\Windows\system32\Pbekii32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\SysWOW64\Ppikbm32.exe
    C:\Windows\system32\Ppikbm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1796

C:\Windows\SysWOW64\Pjoppf32.exe
C:\Windows\system32\Pjoppf32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3656
- C:\Windows\SysWOW64\Pmphaaln.exe
  C:\Windows\system32\Pmphaaln.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4388
- - C:\Windows\SysWOW64\Qamago32.exe
    C:\Windows\system32\Qamago32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5044

C:\Windows\SysWOW64\Qbajeg32.exe
C:\Windows\system32\Qbajeg32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\Apeknk32.exe
  C:\Windows\system32\Apeknk32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1600

C:\Windows\SysWOW64\Qbonoghb.exe
C:\Windows\system32\Qbonoghb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404

C:\Windows\SysWOW64\Apjdikqd.exe
C:\Windows\system32\Apjdikqd.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3460
- C:\Windows\SysWOW64\Aaiqcnhg.exe
  C:\Windows\system32\Aaiqcnhg.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:1960
- - C:\Windows\SysWOW64\Afhfaddk.exe
    C:\Windows\system32\Afhfaddk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Modifies registry class
    PID:692
  - - C:\Windows\SysWOW64\Bdlfjh32.exe
      C:\Windows\system32\Bdlfjh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      PID:3688

C:\Windows\SysWOW64\Bfaigclq.exe
C:\Windows\system32\Bfaigclq.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3684
- C:\Windows\SysWOW64\Bpjmph32.exe
  C:\Windows\system32\Bpjmph32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  PID:1584
- - C:\Windows\SysWOW64\Bgdemb32.exe
    C:\Windows\system32\Bgdemb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Drops file in System32 directory
    - Modifies registry class
    PID:1132
  - - C:\Windows\SysWOW64\Cmnnimak.exe
      C:\Windows\system32\Cmnnimak.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:860
    - - C:\Windows\SysWOW64\Cpljehpo.exe
        
        C:\Windows\system32\Cpljehpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
      - C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:792
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:680
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4764

C:\Windows\SysWOW64\Ciihjmcj.exe
C:\Windows\system32\Ciihjmcj.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:400
- C:\Windows\SysWOW64\Cpcpfg32.exe
  C:\Windows\system32\Cpcpfg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:868

C:\Windows\SysWOW64\Cgmhcaac.exe
C:\Windows\system32\Cgmhcaac.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3332
- C:\Windows\SysWOW64\Cmgqpkip.exe
  C:\Windows\system32\Cmgqpkip.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:4920

C:\Windows\SysWOW64\Dgpeha32.exe
C:\Windows\system32\Dgpeha32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3588
- C:\Windows\SysWOW64\Dinael32.exe
  C:\Windows\system32\Dinael32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2080
- - C:\Windows\SysWOW64\Dphiaffa.exe
    C:\Windows\system32\Dphiaffa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    PID:1848

C:\Windows\SysWOW64\Diqnjl32.exe
C:\Windows\system32\Diqnjl32.exe
1⤵
- Executes dropped EXE
PID:4800
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 412
  2⤵
  - Program crash
  PID:5148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
1⤵
PID:4476

C:\Windows\SysWOW64\Cdaile32.exe
C:\Windows\system32\Cdaile32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4620

C:\Windows\SysWOW64\Cdmoafdb.exe
C:\Windows\system32\Cdmoafdb.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3132

C:\Windows\SysWOW64\Bdcmkgmm.exe
C:\Windows\system32\Bdcmkgmm.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3816

C:\Windows\SysWOW64\Bmidnm32.exe
C:\Windows\system32\Bmidnm32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2484

C:\Windows\SysWOW64\Bmggingc.exe
C:\Windows\system32\Bmggingc.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4832

C:\Windows\SysWOW64\Bfmolc32.exe
C:\Windows\system32\Bfmolc32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2104

C:\Windows\SysWOW64\Bdocph32.exe
C:\Windows\system32\Bdocph32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4160

C:\Windows\SysWOW64\Biiobo32.exe
C:\Windows\system32\Biiobo32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:804

C:\Windows\SysWOW64\Pbhgoh32.exe
C:\Windows\system32\Pbhgoh32.exe
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Loofnccf.exe

Filesize
592KB

MD5
12a2d767926cc9941e621cdd4ec38596

SHA1
0dc9cb01b6a262903bafa40285104a09e2584b1f

SHA256
46cfd492f69136e6a7bd32abf3ff2e16b30e8424ffd0a8ec1e71b5b8c6fd995a

SHA512
39c8618948726271d695344a77041117072328ad38bcb2be0ba06b00a33386bc422f532d7092c791dfdbcc2fd80cd13171f32bfa47ecd4f43239038f4dc15eca

Download Submit
C:\Windows\SysWOW64\Mpeiie32.exe

Filesize
592KB

MD5
b1ba147b4c632aeaa6167d619794cb6b

SHA1
e21973a89ccbaf72d2017327a57ef02ebeb59c06

SHA256
e1cc429ed8f503cc5f79454f1b57f9ac9b0cd24fb7096ac7316c650ba20b88cd

SHA512
e452d3d68a64137b28d0d72738b3fa0c308db744c70580665bec0a7b8cf6b3f1eb00774d33828540b842adea7c5774c281d925c7ee9a67986fbc69485ffaf778

Download Submit
C:\Windows\SysWOW64\Mqhfoebo.exe

Filesize
592KB

MD5
5c585712f54360b6add04b29c60a8ede

SHA1
58f4ca7a0c9c070866ebd786798b92eb3a970d74

SHA256
4a8c83cd4d92070ecdfb26f5e760705a9194a31d7db12750b2d0ce89f2f72622

SHA512
f44595da2f1777044051593d5c7aa6aadbd0bc0691dfc7a415e668d347f0da35a5636beeababddc355d2b3933282367d2b08c2463259c135d5a2f14ced4e6a41

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
93KB

MD5
c2ddc846e625e082bd74f070b322486c

SHA1
47ea19c58ced847ecf0769f2d0cfbd141cbe6f76

SHA256
92ac7a857f2f8bf05e32c70e33dc289016f2fb12931378d4d7bcce4e3eb61927

SHA512
6a2ad3da5e8b0717898ee1453995e1df72c1cc4e7fbf0367940ba6cd9af8b5492296031ce0326980ad70c5bedb0d0126e35e53ec60c47655652dba7f8fe2cb17

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
93KB

MD5
00bdec939c583c54716b4cee9c3c1470

SHA1
3fa08bd50c18fccec05915b2d6b263afceb6ba79

SHA256
d22d26cc2289c1c4fb7d6b87c3dd443bd4d5f232d1421ea0e4689f5d41be9c92

SHA512
0b3da2cc7c60496dbb880a90d92655ee1addca86776648f9ea252be9a6b95534b4c2d3465581df74642579e9c6ead4c5cb454588ec41698a8358730e5d0569c3

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
92KB

MD5
f0c57771893e1a9b2a4715b146ddb908

SHA1
ec5b4bd69dffeb0aaf70abab6a0e74c119cce292

SHA256
fd091444c1e863cd38a304ef61dbeab283b7bd382faa81afc3b1b351273fa51a

SHA512
cf3722e30b85a22988c9c18820c683acc618e4050c02b92e3645bf8221f4bd59216643382c35787ee7ca97de9c0cefa2192d04b3a4570e3e32b1d0c2ca8a4b0f

Download Submit
C:\Windows\SysWOW64\Nfgklkoc.exe

Filesize
365KB

MD5
9e5d1b38feb9e96ab3b90bdfc6833e64

SHA1
7f8210171d28941605af9710c0a57bf69e7fdc84

SHA256
8f4a7ae264d9fbe72a1897ec99d0509e9c28e8fcdaeb77a03b30e9ea37aa71e1

SHA512
2b25d48fc14c5e597e33bbd44aaee3a5421e5dd8f0baf5af4a6b2aa067221b85d74bc6c182f44a64b32adbe08f86d079df15010ae5d7ffa102a84106a07ebb9f

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
592KB

MD5
2f3a62a2a2363ff55902509a9be02a23

SHA1
fca0e547684372452cb5e1d2f2a4a212f753e27b

SHA256
b59e71364f969fd8cc03c0763a39e70ddfcc2c065b7717dd69371fdb7f912531

SHA512
2458098beda24e9317fdb9c76967fdfe1bb226de9b583fbde06fcc7cb99569a4d9e16c1c79e5b180b4ed80c028f808159dd96e9d97f58c07cac9220c82a840cc

Download Submit
C:\Windows\SysWOW64\Nhhdnf32.exe

Filesize
381KB

MD5
0544f0092de0e03619589848abdbd7ba

SHA1
4a6c97d3a755537aaf5a0e00b098b0a5e60fb0d0

SHA256
447643a862a872ee176784a4395235acc63ee113b75c430691ae0f86daeab85c

SHA512
2928590eb418cad02fb5e4c53d540f7dbbcacf05a630efeffd29ca2988df2a74e23ce55f18a7ab3962711dae6f79839b269d75675acd063385be92ced2503b7f

Download Submit
C:\Windows\SysWOW64\Ocihgnam.exe

Filesize
592KB

MD5
5286af16051de0bd78412039ef627cc0

SHA1
e5bc32a7a5a85c5041efefc96b4ea52e9f041af9

SHA256
5f7aa7daccdcbee77dd9724bc4ac5790730f8bef475e0fc4887682265eb58ae4

SHA512
c2518c9e6fb5a5a98e2c58325820584c4158ff4567bb2e65cc116903d52b4148629a46961d31bce6b9acb098bbd0dd0bc2b156c467f894de37d885994c1bf267

Download Submit
C:\Windows\SysWOW64\Ojhiogdd.exe

Filesize
592KB

MD5
a0c5976c21f982e803b91350ce22fd67

SHA1
9fb20fae2420fa24d2ed605f9da94e104e3cf134

SHA256
1b0620bfb011a686bf562543e0092cc1ea189748abe4b2293eb791375916998b

SHA512
0f9491072e7834afc3d8ba4a82769266626bb829bd73bcc36fd135195d74154a7fe5509b94b5f8a622c91bd8a624319d44bc60fb7015cabfb71ec706f110d308

Download Submit
C:\Windows\SysWOW64\Pbekii32.exe

Filesize
592KB

MD5
28b0a30feebcd63971b06edc6b8723dc

SHA1
eeb8f4cc48306aafdd5bc71395184a0305d6e5cb

SHA256
6c9bd7e6470d36cb2ef1480b15eecd914427d28299921ec87786948def57292f

SHA512
2cc96ac2633995a35de41ebd12144adb06c83adf77a661f34ba5b0ce7e7b02e55498453eb48df296af1428fc006253b856672e5ba6199d846252ab11dcce749b

Download Submit
C:\Windows\SysWOW64\Pbhgoh32.exe

Filesize
592KB

MD5
92e89e4876746fc645c6da35bf6d7bbd

SHA1
08b3fae2e67b1b972b075b609d7809590d0fc997

SHA256
113cefc284c8e86ee91090a5d541cce8b660fef50dd9b7e78e265e5ef320a778

SHA512
73f62ebe12cbd31e572000c6493fdc43ede9ba9c3819ef4a278f49493180ec808da7c11acb416787f4ec2c8d43c06b0c56089696846a674b3e8f59edfb7cb342

Download Submit
C:\Windows\SysWOW64\Pfojdh32.exe

Filesize
592KB

MD5
7703f94e88ec3953a5e5dc741114c20a

SHA1
f88258de423b5dbfc6fd557e56d0befd63cc2e47

SHA256
316f589e5e1382015c338eace68630f3bc27a53312f1f684b83fb3af76b01c9d

SHA512
b9e36f23483303d94dac82aa977e2a77b350e28c0106a168414e568b7aeff21374d557880e9a35d4b0aef540fee73c290b93765b922f40364185742a9d791b0f

Download Submit
C:\Windows\SysWOW64\Ppikbm32.exe

Filesize
592KB

MD5
cf4ed27d4ad2aa6ca991a0834b223569

SHA1
00af33168769cb73a33323724b6f8e0e106f81b7

SHA256
92daa057d8387937d0f745c7dfd247c5ff219120de303a3a5263f0d34adbed7a

SHA512
0e1e66f610895b767cdc3b461968e3ce0c54a7f4eda2e544e1d7ca54b01496ee98c1c134615ab647b51fbaf4ff385c8a4a90b85cbf6ddffa2bb8079d799f4a0a

Download Submit
memory/400-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/400-369-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/640-396-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/680-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-387-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/692-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/776-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-374-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/792-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/804-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-318-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-368-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/976-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1584-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-390-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1600-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-411-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1796-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1848-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2080-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2104-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2484-381-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3304-402-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3332-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3520-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-386-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3688-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-380-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3816-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3964-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3988-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-375-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-276-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-372-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-404-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4620-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4764-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4800-360-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4820-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-408-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4832-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-366-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4920-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-7-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads