deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
Size

96KB
MD5

0c415a1b7b52f60e0f913dc46641b7a8
SHA1

15940cafc37910cfb97bc034af3ed18882e4a219
SHA256

deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b
SHA512

2b6c362865ebec799eb49d0cf7a6228eef1c638b45f6503e4a6a1b79598c77e1b8f2571193470c80e5696b7223d358d5793fa884f4afb12eab20deffb46a3800
SSDEEP

1536:k7FIZ8787cimta6soKatoovDUJxMCUf4uWbNhrUQVoMdUT+irF:k7FIZfACatoovDUJxMpfEbNhr1Rhk

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Loemnnhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apggckbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jeolckne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Oqoefand.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jblflp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ofgdcipq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qmdblp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Jhoeef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkcpql32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaedanal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oqklkbbi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgiohbfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gjhfif32.exe

Executes dropped EXE 29 IoCs

pid	Process
3232	Mbdiknlb.exe
400	Noblkqca.exe
3476	Nfldgk32.exe
1864	Nbbeml32.exe
1928	Obgohklm.exe
3148	Oqklkbbi.exe
3608	Ofgdcipq.exe
2960	Oqoefand.exe
1388	Pcgdhkem.exe
4564	Qmdblp32.exe
2244	Apggckbf.exe
2364	Aplaoj32.exe
756	Bdocph32.exe
1164	Cgiohbfi.exe
3464	Ciihjmcj.exe
3332	Cdaile32.exe
536	Dpjfgf32.exe
4944	Eafbmgad.exe
4400	Fkcpql32.exe
924	Gkcigjel.exe
1796	Gjhfif32.exe
3812	Ijiopd32.exe
2752	Iaedanal.exe
3496	Jblflp32.exe
2156	Jeolckne.exe
3744	Jhoeef32.exe
2204	Kbjbnnfg.exe
3944	Loemnnhe.exe
852	Ldikgdpe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Noblkqca.exe	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Gjhfif32.exe	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Eloeba32.dll	Jeolckne.exe
File created	C:\Windows\SysWOW64\Oqklkbbi.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Hpfiln32.dll	Gkcigjel.exe
File created	C:\Windows\SysWOW64\Jblflp32.exe	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Ldikgdpe.exe	Loemnnhe.exe
File opened for modification	C:\Windows\SysWOW64\Oqoefand.exe	Ofgdcipq.exe
File created	C:\Windows\SysWOW64\Fljhbbae.dll	Ofgdcipq.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Eafbmgad.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Hlnecf32.dll	Ijiopd32.exe
File created	C:\Windows\SysWOW64\Nfldgk32.exe	Noblkqca.exe
File opened for modification	C:\Windows\SysWOW64\Nbbeml32.exe	Nfldgk32.exe
File created	C:\Windows\SysWOW64\Apggckbf.exe	Qmdblp32.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Lqcnhf32.dll	Gjhfif32.exe
File opened for modification	C:\Windows\SysWOW64\Gkcigjel.exe	Fkcpql32.exe
File opened for modification	C:\Windows\SysWOW64\Gjhfif32.exe	Gkcigjel.exe
File opened for modification	C:\Windows\SysWOW64\Jhoeef32.exe	Jeolckne.exe
File created	C:\Windows\SysWOW64\Ldikgdpe.exe	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Bekdaogi.dll	Loemnnhe.exe
File created	C:\Windows\SysWOW64\Aemghi32.dll	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Pqolaipg.dll	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Oqoefand.exe
File created	C:\Windows\SysWOW64\Japjfm32.dll	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Odanidih.dll	Eafbmgad.exe
File opened for modification	C:\Windows\SysWOW64\Kbjbnnfg.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Mbdiknlb.exe	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
File created	C:\Windows\SysWOW64\Ghnllm32.dll	Mbdiknlb.exe
File created	C:\Windows\SysWOW64\Bpenhh32.dll	Nfldgk32.exe
File opened for modification	C:\Windows\SysWOW64\Oqklkbbi.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Fkcpql32.exe	Eafbmgad.exe
File created	C:\Windows\SysWOW64\Dodipp32.dll	Jblflp32.exe
File created	C:\Windows\SysWOW64\Qmdblp32.exe	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Apggckbf.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Ijiopd32.exe	Gjhfif32.exe
File created	C:\Windows\SysWOW64\Iaedanal.exe	Ijiopd32.exe
File created	C:\Windows\SysWOW64\Dpjfgf32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Gkcigjel.exe	Fkcpql32.exe
File opened for modification	C:\Windows\SysWOW64\Ijiopd32.exe	Gjhfif32.exe
File created	C:\Windows\SysWOW64\Obgohklm.exe	Nbbeml32.exe
File created	C:\Windows\SysWOW64\Oqoefand.exe	Ofgdcipq.exe
File opened for modification	C:\Windows\SysWOW64\Aplaoj32.exe	Apggckbf.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Aplaoj32.exe
File opened for modification	C:\Windows\SysWOW64\Cgiohbfi.exe	Bdocph32.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Aplaoj32.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Cgiohbfi.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Mbdiknlb.exe	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
File created	C:\Windows\SysWOW64\Nnndji32.dll	Obgohklm.exe
File created	C:\Windows\SysWOW64\Gejimf32.dll	Oqklkbbi.exe
File opened for modification	C:\Windows\SysWOW64\Apggckbf.exe	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Hhdjkflc.dll	Qmdblp32.exe
File created	C:\Windows\SysWOW64\Kbjbnnfg.exe	Jhoeef32.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Oqoefand.exe
File created	C:\Windows\SysWOW64\Eiahpo32.dll	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Jblflp32.exe	Iaedanal.exe
File opened for modification	C:\Windows\SysWOW64\Jeolckne.exe	Jblflp32.exe
File created	C:\Windows\SysWOW64\Ofgdcipq.exe	Oqklkbbi.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3112	852	WerFault.exe	128

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eafbmgad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljhbbae.dll"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodipp32.dll"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jblflp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfiln32.dll"	Gkcigjel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ijiopd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqpbcn32.dll"	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahhgi32.dll"	Fkcpql32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eloeba32.dll"	Jeolckne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgidjfjk.dll"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahpo32.dll"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Kbjbnnfg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mbdiknlb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqolaipg.dll"	Nbbeml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhkhop32.dll"	Apggckbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Jeolckne.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemghi32.dll"	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghnllm32.dll"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejimf32.dll"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqoefand.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mbdiknlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpenhh32.dll"	Nfldgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbbeml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nfldgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Japjfm32.dll"	Jhoeef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Kbjbnnfg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Loemnnhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnakbdid.dll"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkcigjel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Noblkqca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Oqklkbbi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Cgiohbfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcnhf32.dll"	Gjhfif32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaedanal.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnndji32.dll"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ofgdcipq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhdjkflc.dll"	Qmdblp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eafbmgad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ciihjmcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 3232	740	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe	100
PID 740 wrote to memory of 3232	740	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe	100
PID 740 wrote to memory of 3232	740	deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe	100
PID 3232 wrote to memory of 400	3232	Mbdiknlb.exe	101
PID 3232 wrote to memory of 400	3232	Mbdiknlb.exe	101
PID 3232 wrote to memory of 400	3232	Mbdiknlb.exe	101
PID 400 wrote to memory of 3476	400	Noblkqca.exe	102
PID 400 wrote to memory of 3476	400	Noblkqca.exe	102
PID 400 wrote to memory of 3476	400	Noblkqca.exe	102
PID 3476 wrote to memory of 1864	3476	Nfldgk32.exe	103
PID 3476 wrote to memory of 1864	3476	Nfldgk32.exe	103
PID 3476 wrote to memory of 1864	3476	Nfldgk32.exe	103
PID 1864 wrote to memory of 1928	1864	Nbbeml32.exe	104
PID 1864 wrote to memory of 1928	1864	Nbbeml32.exe	104
PID 1864 wrote to memory of 1928	1864	Nbbeml32.exe	104
PID 1928 wrote to memory of 3148	1928	Obgohklm.exe	105
PID 1928 wrote to memory of 3148	1928	Obgohklm.exe	105
PID 1928 wrote to memory of 3148	1928	Obgohklm.exe	105
PID 3148 wrote to memory of 3608	3148	Oqklkbbi.exe	106
PID 3148 wrote to memory of 3608	3148	Oqklkbbi.exe	106
PID 3148 wrote to memory of 3608	3148	Oqklkbbi.exe	106
PID 3608 wrote to memory of 2960	3608	Ofgdcipq.exe	107
PID 3608 wrote to memory of 2960	3608	Ofgdcipq.exe	107
PID 3608 wrote to memory of 2960	3608	Ofgdcipq.exe	107
PID 2960 wrote to memory of 1388	2960	Oqoefand.exe	108
PID 2960 wrote to memory of 1388	2960	Oqoefand.exe	108
PID 2960 wrote to memory of 1388	2960	Oqoefand.exe	108
PID 1388 wrote to memory of 4564	1388	Pcgdhkem.exe	109
PID 1388 wrote to memory of 4564	1388	Pcgdhkem.exe	109
PID 1388 wrote to memory of 4564	1388	Pcgdhkem.exe	109
PID 4564 wrote to memory of 2244	4564	Qmdblp32.exe	110
PID 4564 wrote to memory of 2244	4564	Qmdblp32.exe	110
PID 4564 wrote to memory of 2244	4564	Qmdblp32.exe	110
PID 2244 wrote to memory of 2364	2244	Apggckbf.exe	111
PID 2244 wrote to memory of 2364	2244	Apggckbf.exe	111
PID 2244 wrote to memory of 2364	2244	Apggckbf.exe	111
PID 2364 wrote to memory of 756	2364	Aplaoj32.exe	112
PID 2364 wrote to memory of 756	2364	Aplaoj32.exe	112
PID 2364 wrote to memory of 756	2364	Aplaoj32.exe	112
PID 756 wrote to memory of 1164	756	Bdocph32.exe	113
PID 756 wrote to memory of 1164	756	Bdocph32.exe	113
PID 756 wrote to memory of 1164	756	Bdocph32.exe	113
PID 1164 wrote to memory of 3464	1164	Cgiohbfi.exe	114
PID 1164 wrote to memory of 3464	1164	Cgiohbfi.exe	114
PID 1164 wrote to memory of 3464	1164	Cgiohbfi.exe	114
PID 3464 wrote to memory of 3332	3464	Ciihjmcj.exe	115
PID 3464 wrote to memory of 3332	3464	Ciihjmcj.exe	115
PID 3464 wrote to memory of 3332	3464	Ciihjmcj.exe	115
PID 3332 wrote to memory of 536	3332	Cdaile32.exe	116
PID 3332 wrote to memory of 536	3332	Cdaile32.exe	116
PID 3332 wrote to memory of 536	3332	Cdaile32.exe	116
PID 536 wrote to memory of 4944	536	Dpjfgf32.exe	117
PID 536 wrote to memory of 4944	536	Dpjfgf32.exe	117
PID 536 wrote to memory of 4944	536	Dpjfgf32.exe	117
PID 4944 wrote to memory of 4400	4944	Eafbmgad.exe	118
PID 4944 wrote to memory of 4400	4944	Eafbmgad.exe	118
PID 4944 wrote to memory of 4400	4944	Eafbmgad.exe	118
PID 4400 wrote to memory of 924	4400	Fkcpql32.exe	119
PID 4400 wrote to memory of 924	4400	Fkcpql32.exe	119
PID 4400 wrote to memory of 924	4400	Fkcpql32.exe	119
PID 924 wrote to memory of 1796	924	Gkcigjel.exe	120
PID 924 wrote to memory of 1796	924	Gkcigjel.exe	120
PID 924 wrote to memory of 1796	924	Gkcigjel.exe	120
PID 1796 wrote to memory of 3812	1796	Gjhfif32.exe	121

C:\Users\Admin\AppData\Local\Temp\deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe
"C:\Users\Admin\AppData\Local\Temp\deee8f2447bea41f1084c1451d44f622c52d7d00a2c13aae6f2ceb239c50de7b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\SysWOW64\Mbdiknlb.exe
  C:\Windows\system32\Mbdiknlb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\SysWOW64\Noblkqca.exe
    C:\Windows\system32\Noblkqca.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\SysWOW64\Nfldgk32.exe
      C:\Windows\system32\Nfldgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3476
    - - C:\Windows\SysWOW64\Nbbeml32.exe
        
        C:\Windows\system32\Nbbeml32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Oqklkbbi.exe
        
        C:\Windows\system32\Oqklkbbi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\SysWOW64\Ofgdcipq.exe
        
        C:\Windows\system32\Ofgdcipq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\SysWOW64\Oqoefand.exe
        
        C:\Windows\system32\Oqoefand.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Qmdblp32.exe
        
        C:\Windows\system32\Qmdblp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Apggckbf.exe
        
        C:\Windows\system32\Apggckbf.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Cgiohbfi.exe
        
        C:\Windows\system32\Cgiohbfi.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Eafbmgad.exe
        
        C:\Windows\system32\Eafbmgad.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Fkcpql32.exe
        
        C:\Windows\system32\Fkcpql32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Gkcigjel.exe
        
        C:\Windows\system32\Gkcigjel.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Gjhfif32.exe
        
        C:\Windows\system32\Gjhfif32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\SysWOW64\Ijiopd32.exe
        
        C:\Windows\system32\Ijiopd32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Iaedanal.exe
        
        C:\Windows\system32\Iaedanal.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2752
        
        C:\Windows\SysWOW64\Jblflp32.exe
        
        C:\Windows\system32\Jblflp32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Jeolckne.exe
        
        C:\Windows\system32\Jeolckne.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2156
        
        C:\Windows\SysWOW64\Jhoeef32.exe
        
        C:\Windows\system32\Jhoeef32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\Kbjbnnfg.exe
        
        C:\Windows\system32\Kbjbnnfg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Loemnnhe.exe
        
        C:\Windows\system32\Loemnnhe.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Ldikgdpe.exe
        
        C:\Windows\system32\Ldikgdpe.exe
        30⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 424
        31⤵
        Program crash
        
        PID:3112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 852 -ip 852
1⤵
PID:3328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Apggckbf.exe

Filesize
96KB

MD5
d0427ed112d8beb9b350a9769cd6858a

SHA1
c4302b1256556fc7e18e2f2f3308125f603cfd30

SHA256
a61c2c169c4c71fc267798e1e52ccb718bbdde02e25180411abea5b4163290e1

SHA512
b84614c2e4239a9c629e71d22d8406f5ddc9a229cfeb271c9de26d5e2560e33cbdd9f39b21e911c911d6eaf7058c872049648110f60dcdb6aa886aaf281b5626

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
96KB

MD5
72f4926e0c386902e69964af35aa5b16

SHA1
32f90e167184705ceb4207882248937c5f10aecb

SHA256
4be6d10436babf171912ad1a1c2a4676f4db8d8f30be9fb344a85653f8f380b6

SHA512
fc1d00427c284ec7ea7ecfbf1ef27a669606a348ca941241389fc5a046ca9443144175be2d04fa70326dbfaa8b7f2bf8c0a1be641fb00c0e273e7cd48ca643bc

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
96KB

MD5
05f3a34cb6f65872b2f368f7195baf86

SHA1
4ab04ec4be2ba0d979aab3789591dd2d2d4ace87

SHA256
4edcab7510eac43b70245edb1a2e7f58687bbb3e10433b0fa9c4c10ff57b8d72

SHA512
42049c4c0d8bfc9d8bb63b12acaf49c204d2114e925ff249ee249542ce29eb67c08d1e01476eef84363ed88cf067ae83339b7873e8a5f8ff00fe9e4eaaf6824c

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
96KB

MD5
c778167e47eda8e7bc6d7a20e6dc16cb

SHA1
e0bc5640140bd5edd8c2b6936917a1146b49d13d

SHA256
e92af9ebc5bb6697f59c6fad2de2e2e572e15d502bcb0f11d997f47106fc6664

SHA512
177a29810ae9fc9e9b63f359316b527a34a280c0d102245f86efe544818069b839e5bd6d7b82f88898011c08a562799e65255a348c2f72687c56b58e3cbf6087

Download Submit
C:\Windows\SysWOW64\Cgiohbfi.exe

Filesize
96KB

MD5
c795b12f62ebdef7ede9f39bf3b73f58

SHA1
c70009f8de7f5b8d2cd96899147ea34d3c1ca522

SHA256
be74726b7d1e8387afb502fba4e13ab2ddca875b4a954279845b22d50e4dd44b

SHA512
0eaa7583519dda225547a3baa792f5df252676419a96efdb3fa0dcb57879df06279cac26224d860851facd8227375c0b870a6eb173548e7b6cf5e8f7b777de80

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
96KB

MD5
22245b1dfe40b5558f66fae2d49f19f3

SHA1
ac394d11e3b4beebf2097ed196fff28074d21110

SHA256
0d45790980de15ca1d9f4d7f2194ac0cb1862eaf9ed021ee7f4f45e7e2566ef2

SHA512
e778e794b7d67bdbf0ec04957206c8190327571f4d791ba69cd3ee8e592f1b8beda879c2f7d175d96e65bd481972a3094f496f8fe6ec150bbb8df0b64eea0d7f

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
96KB

MD5
c076ac7177dcf8d6279d3011737bd416

SHA1
c4bc15bebcd26dcf4b9f98400db1228c590bb8d3

SHA256
39940e76a7a77b7a8511d342e5f391e8c4903cad12c1559bf333049c89e34eaf

SHA512
14c35cf1c6ab0115a69b61c76920b4760375333be8bde2dd4ac86145559c37faf823be4d84137c3a7c7642c87a82227dcb531c4c536e4bd70c45ea1640f75175

Download Submit
C:\Windows\SysWOW64\Eafbmgad.exe

Filesize
96KB

MD5
122af09ef9026972c11ca5c7382847e5

SHA1
684cf0010b36de5c15c35122a2ff197dc4cbbe8a

SHA256
a7a2ee5600bb0c9807ac4c75501cb8ea8ce13854ea766d7400977f8d22cd5478

SHA512
b62ba3a60bd900f7aa4d177ee757bf9a4e2e371325114cc0d8aeb944220d264e0e7dbf137a8a5aaf46454f1bd374b891485c24fd4517c2d31eab4605ab0dc617

Download Submit
C:\Windows\SysWOW64\Fkcpql32.exe

Filesize
96KB

MD5
b0e3ee98d611497abaafea06d6dfdb83

SHA1
1470f5423409c4f6356ec01fd03d47bb3bf9fdaf

SHA256
18159abd063373e1ae80d73c5f3db3c3b5c979c141c3770bc822c8580f0e1c78

SHA512
6eef85e0bc30d19beb790534b0b9a42e0a0900bd707c67dfa299b8a4b42736b45b7b17c0946e932755472baaf6596a49acfbc2a6ee85ec414b6db97d4ff7dd3f

Download Submit
C:\Windows\SysWOW64\Gjhfif32.exe

Filesize
96KB

MD5
5d1903a77127603acd0ec2bb19ba9a60

SHA1
46b192aaa8ce430ad9b82a09ea3f0ccbb59c16e0

SHA256
3e2ac20bfaca9b57bb58659ae8952a431cd246aeb6027ebbc253a79e94c09791

SHA512
f329f86892f5fb68d322f1c0f2b645e6ddc0b44b3035f28abc641e2ac97f9d87b4b4574ef33c973d8c83e26a358d3395c3a9d0ede0549cb9842237740b0831dd

Download Submit
C:\Windows\SysWOW64\Gkcigjel.exe

Filesize
96KB

MD5
57e671a8e5a01427bf4104604fe9e2c8

SHA1
2e34bb011fca943aae6bc540640b2f7af5cb14e8

SHA256
1d280944b724732efbfe7fa23e2ab7ff8736192a2de5366680487325d2cf375a

SHA512
45754a48243c85d80f662887027aaadf864a1e86deefeaeb2be146998ae9147dd953df28340d944cb27e306db4f06a66b4665bc9cbd9071be528b40c5bb3e84e

Download Submit
C:\Windows\SysWOW64\Iaedanal.exe

Filesize
96KB

MD5
560e91a25989d71068bf6e54fc03e334

SHA1
dcce97cf9e5bf3722259f1bf3e2703d3f8088cf6

SHA256
af1fe0674f7aa6bbdce931d4a04595e3e75a1a83344564bfcd82980972681475

SHA512
0891de1ff72b92e666507d91c272c10227e04c071287aa52df9a18050bb7615bbbfc1887f18b97165ae6d4f117d82724a9ae523e00c0a04ed9507b19e524d5cc

Download Submit
C:\Windows\SysWOW64\Ijiopd32.exe

Filesize
96KB

MD5
07b7805f6f32c17cdae58d0a5a01da72

SHA1
afd4d606c87cf3b9f1c1fa9740689f18c278dc79

SHA256
f0581bf1a785b79bb37bdbf7cc2b5d58c4946f1a8c26ddeacdb9d0180ecac3fd

SHA512
b1caf6c21553e9eeff77fe763c81e01c2963a85047d264e66f01381c7821b82be76b93a7458f47a275c621cb776d94bf27cc84add8f8fe7b17bd4d9ebabd2121

Download Submit
C:\Windows\SysWOW64\Jblflp32.exe

Filesize
96KB

MD5
c9557f0bd76c1bda5177f76471a11cdf

SHA1
5b633230406714759c3f488afe8c3e05f2b8faa0

SHA256
a3c87fadd158c8f61aa9a4f2620005559150a3844f364a2008c7d6af9a56fa07

SHA512
86a1f6abde701c8812ea42983069f1e27d6311421be5ecba023056c9ed75b27470b32a987f559407ceaf0883d4b02c8b8ec5d608e9b777035f65073dde1f3a2e

Download Submit
C:\Windows\SysWOW64\Jeolckne.exe

Filesize
96KB

MD5
9a60ea19054988a20fb7e523728b36af

SHA1
4b3ca2ed3d0e33aa01e88aecaa0d98bba87315ad

SHA256
5634128cf7248c1ced4f5125c253648c4af1ab9f71273b6677def21a5ea1a398

SHA512
d243deffd24a2095fc1b4ec59b13b06a352fa916d8cf2d96922224f9897cc14786ce6559bdb2955228ca2bb3198051d496b9d4720e229d97ab67c56e277ad1d9

Download Submit
C:\Windows\SysWOW64\Jhoeef32.exe

Filesize
96KB

MD5
ae0691478a9aceff47f3a480df57671a

SHA1
62cd068b33eb0463bec7d253c330505707f655f0

SHA256
db5cda8c5caf323078203cb01c3611725d54cd11ffa195f76a4bc3319849fe0a

SHA512
7c7494d55e4ef2a1d93551bcb8b5bd5f72f6883d2e7cf233c2fc245e04d0c5b0d7c00214af9d44a070884651d0b65308bc184f0dd55c1aafb036e196c90e9dfd

Download Submit
C:\Windows\SysWOW64\Kbjbnnfg.exe

Filesize
96KB

MD5
91c5dc6606bd93ccbcf0a4caa104c653

SHA1
56e75431d7b1b969eb50a0000ba6e5107e7f6e8e

SHA256
919e614b55440623f66c0698b2473d73d6aa1cc7e962a4c8b6f6deb4b7f95975

SHA512
749de562f4200e12164e65c8213e3290ea24b57933eab2bb70c9580b16a4bb48895690da90fc5c6cca40d05e3fef77292e8cd4e19e3b4e9d6e29326b925e5de1

Download Submit
C:\Windows\SysWOW64\Ldikgdpe.exe

Filesize
96KB

MD5
63106ec744dbbe2ef644bf4bdc5dc659

SHA1
6afd7bfe110ecb2e42d048413b613af2b655a72e

SHA256
5c2ea1c3a6020b82926f811802844f424375193abb5eb221237b413a759990a8

SHA512
5228a7cb20a822a51ad4590e0bcdf301cc71319f8e08d3aa703066d1863de77eb5b3a5bc8c5230e5533465b802fd9bc2770bed7013bae863eeda8d32f96b256c

Download Submit
C:\Windows\SysWOW64\Loemnnhe.exe

Filesize
96KB

MD5
564e6f2e2bf695d5a5376f6d2c8ef43d

SHA1
160da3e628e7c541617b9e8d2089458440b82e26

SHA256
421112f8b818bba69eb364c6589735f822f9d4d9eda19e5a659cdbc419942bb3

SHA512
e06e7aa4c045cb799cf9b659c54d9033feff3d4aae38df8725c945bf94410755c60c2590b507d0a8bebc17fb6a6fb4e4da42a971dc0e1ca87f0f980625a2e0a6

Download Submit
C:\Windows\SysWOW64\Mbdiknlb.exe

Filesize
96KB

MD5
6f365713ac49ed044a9d375c278bc077

SHA1
068c198917463c1a13017a0a8a2cde7c1cbdbddb

SHA256
6ae7aa85fa8317d8d51ac5e81ae3a87dcf27368c547b9c4b71086e8760263d67

SHA512
2b26547f5d151e7a468a90a843d4a5eda6ac13ac6c6d4153d1c8042fc2c6e24a662f8be6615044dc9bafdc9d50785b3ee8b5610fa218f89ca15c6fca616749d9

Download Submit
C:\Windows\SysWOW64\Nbbeml32.exe

Filesize
96KB

MD5
cb26c7b35eade2c3e03b8af3cf030df8

SHA1
67b2fb7eb42cf831b3f85a99cfea6ffd7a7e5213

SHA256
7e01b96e705d0ec3cea8c98f013081576c4addbdc7600dded3d0a9f635a73078

SHA512
a1862b639e76cfc301f0e0ee7c6b36c33a6718e5319c748f63d015d4e189d34373db9e94b608438bdf67a247c54307bafa03628eed176192d181aedb65e2ddf0

Download Submit
C:\Windows\SysWOW64\Nfldgk32.exe

Filesize
96KB

MD5
c1b915fabe85278c810159bd3812defe

SHA1
86a530b97ac5d49f695db68a93d943cda0aaa6e0

SHA256
f615b3f464b5eedc52349e933f27de513bc4f4fccfabb8a7332241ea2eb38099

SHA512
80588184dbe58bb468b29b5188aa0b506a5cc733bb7a8df75dc16188df2530da012e39e9a50cdfe3751b847051446b6d3d5ba0bbcbd204f9dde40a4e08e579ce

Download Submit
C:\Windows\SysWOW64\Noblkqca.exe

Filesize
96KB

MD5
796e5f65f9bcda0ab0492852c1dd48ac

SHA1
4028c39d945264ddee39f569deb5a7bf3d84774f

SHA256
6a613125d12f9791a94ca5c3f72a40fad3793d382c49eeed4d7459b56c9bb622

SHA512
0517f06daa8a800704de12d2ab63d8044b22c8dbd5b4c0d89cef109c3ba48df748104d21c619723d40a22f0b06f5150adedba02cb99d4f908d3db722dabc055a

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
96KB

MD5
9914c6b1a7f8bed22e6befe4a75e990b

SHA1
fdddd214cd221342185ad0fff70af5ab7a9c9d3d

SHA256
94877cb90d6b3bd157a741d377ff588c28d6348e5766abb00849a658b9d27a48

SHA512
e5fe67c763575877e9bcf5a8f0686140f36ab440383097a67ae60af884c96b687f3583d27b8b9aad5bd75c6455221523f0a5b8d6911538f4e0720d80b2936f6e

Download Submit
C:\Windows\SysWOW64\Ofgdcipq.exe

Filesize
96KB

MD5
f63a85276ee5126331d8e88f4f7d116a

SHA1
3d3ae92c25e7de9f26fe58cd0a743b207fce7d7d

SHA256
6fbb8db3ae964d3f43ca43790d566b72c53816e041fc8d4edd2edff133270d99

SHA512
9c393b044a1efca4d2af007f3290eac9b320ec578df563b15dfa03dd3f91036a1dbfc481f957973df9ca8e3fd5765f0a4d2ad6dab5ac4638292e19c62c76c7e1

Download Submit
C:\Windows\SysWOW64\Oqklkbbi.exe

Filesize
96KB

MD5
f84ce87ba7b4a10d9ed9c03dc6291300

SHA1
98eb08fb641793aff447dbc2b14ef7b8ba68f530

SHA256
6862f132d6c821a72a972d0360e2bc9a3e92730ffdcb626e091c4c7eed7f3137

SHA512
ec9f6f7907cd87399cc6ae1d272a7d13155ab7d2ea98b1d6eddb279c423eb4d5b3888c4bf0a5cbf091d717d1fb584b089d875aba1fae8e84b669cf3eab1c8134

Download Submit
C:\Windows\SysWOW64\Oqoefand.exe

Filesize
96KB

MD5
8c21ec2a89e5a74f80a028086e66b0f2

SHA1
7fbcef593775c7f563bf1e0ff3e9a730d414f887

SHA256
5be8c4b8e8d156c67c869b0821d0129b90fefdcfc5b996bc5afe885fed75dc44

SHA512
57fa72b6d2bfd67d346aa3d0e8a499b548aa91e7256b42b0b723649d22dcbfcf9fcd98caf0e037639818225b169fa8f4d252e470c939d1bef7fd13503405b213

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
96KB

MD5
e86877f4b13df92b9fa7c72fb0843268

SHA1
ceac26eef895873c929b691460ef38e44381fc89

SHA256
f7e9dfe0fd0617f1afcc58e80ed2820e2fadc89f46f060e57b912d8d7be6014a

SHA512
ddbc4f61c3b6f4ba782d7be8aa0749fedc295f0750a025c28de8d247b130861a7ff0b4974a018a5716807ae6f88a24409497c6558c8d57be1f31766591eafe1e

Download Submit
C:\Windows\SysWOW64\Pqolaipg.dll

Filesize
7KB

MD5
1c40a6c16ec434c24b4ae6e39197e4fb

SHA1
4bbc4d6c8abe26508bf03389553078572c823c5e

SHA256
642bf9d407858a8cbf9112faf31905b61399b9885efc8f50e91125abd73d2e69

SHA512
0cb0b3531001d5703b9d5c9ced4ee2783f1c1ac21c31d69078e0c50cf58dc9c11f751820326b50d2259fce82ae6c86ec595228f9da2c3705320dd4dc00e8903e

Download Submit
C:\Windows\SysWOW64\Qmdblp32.exe

Filesize
96KB

MD5
092ee2972838c7a6a0665f31e7482333

SHA1
d1cf1788ff0b2e0951dd59bd097113359475a38c

SHA256
f59909a77971ae65ad7ab4e3d11411b558ea3bcc23de3eaf36ed251235ee00a8

SHA512
30adb9ea9b9a0ac97391435d92fd862bb9b5ebb575b55855c8657c6427a7307ecb6cdc3a8fa1879346c1af9c9a3bdb2a4894fe2ac166d021fd593b80efe77e8e

Download Submit
memory/400-15-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/400-235-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-252-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/536-135-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/740-234-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/756-257-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/756-104-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/852-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/852-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-159-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/924-258-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-261-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1164-111-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-71-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1388-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-168-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1796-259-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-237-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1864-31-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-238-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1928-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2156-244-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2204-242-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-249-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2244-88-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-253-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-95-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-246-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2752-183-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-250-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-63-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3148-239-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-233-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3232-7-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-128-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3332-255-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-120-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3464-254-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-236-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3476-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3496-245-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-247-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3608-55-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-243-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3744-208-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-175-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3812-251-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-223-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3944-241-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-151-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4400-262-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4564-260-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4564-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4944-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads