2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1

Analysis

max time kernel
155s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Size

108KB
MD5

f73f797ff41c1db53b37aeffcac6e40c
SHA1

6c19def79e7069765f3df5aba4ad2b2921a6418d
SHA256

2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1
SHA512

110b66c7e5144065132c9301515379516a657eefddcd28deb7677c0270bd0c27b325e046b1dea4483aaa8338fc1297082127884599adece1e9398e039af92a71
SSDEEP

3072:dsCHS8AD+RbsMX9Ef31OyIKmGzBO6FcFmKcUsvKwF:dsgRbsMX9m3cyIKFMiUs

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qiiflaoo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mohidbkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omfekbdh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pmmlla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Nhegig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fjhmbihg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afockelf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Apeknk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnljkk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Mokfja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe

Executes dropped EXE 26 IoCs

pid	Process
3540	Lplfcf32.exe
4336	Mlhqcgnk.exe
4400	Mohidbkl.exe
3804	Mokfja32.exe
3260	Mjpjgj32.exe
3412	Nhegig32.exe
4660	Nbphglbe.exe
1228	Nbebbk32.exe
1768	Omfekbdh.exe
1584	Pmmlla32.exe
4532	Pcgdhkem.exe
3880	Qiiflaoo.exe
4552	Apeknk32.exe
1420	Afockelf.exe
2952	Bbaclegm.exe
1608	Babcil32.exe
5060	Bfaigclq.exe
3292	Cmbgdl32.exe
3196	Cdolgfbp.exe
3568	Dnljkk32.exe
1088	Ekimjn32.exe
4644	Eqmlccdi.exe
3068	Fnalmh32.exe
4524	Fjhmbihg.exe
1416	Fnhbmgmk.exe
3936	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Apeknk32.exe	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Emkcbcna.dll	Pcgdhkem.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Mlhqcgnk.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Fldeljei.dll	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Ghcfpl32.dll	Mjpjgj32.exe
File opened for modification	C:\Windows\SysWOW64\Nbebbk32.exe	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Qiiflaoo.exe	Pcgdhkem.exe
File opened for modification	C:\Windows\SysWOW64\Bfaigclq.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Mohidbkl.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Jdnoeb32.dll	Apeknk32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Eqmlccdi.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Eqmlccdi.exe
File opened for modification	C:\Windows\SysWOW64\Mokfja32.exe	Mohidbkl.exe
File opened for modification	C:\Windows\SysWOW64\Nhegig32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Nbebbk32.exe	Nbphglbe.exe
File opened for modification	C:\Windows\SysWOW64\Pcgdhkem.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Ojimfh32.dll	Ekimjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lplfcf32.exe	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
File created	C:\Windows\SysWOW64\Mohidbkl.exe	Mlhqcgnk.exe
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Nhegig32.exe
File created	C:\Windows\SysWOW64\Aadafn32.dll	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Iaidib32.dll	Nbebbk32.exe
File created	C:\Windows\SysWOW64\Pcgdhkem.exe	Pmmlla32.exe
File created	C:\Windows\SysWOW64\Bbaclegm.exe	Afockelf.exe
File created	C:\Windows\SysWOW64\Iocmhlca.dll	Afockelf.exe
File opened for modification	C:\Windows\SysWOW64\Mlhqcgnk.exe	Lplfcf32.exe
File created	C:\Windows\SysWOW64\Nhegig32.exe	Mjpjgj32.exe
File created	C:\Windows\SysWOW64\Khihgadg.dll	Qiiflaoo.exe
File opened for modification	C:\Windows\SysWOW64\Afockelf.exe	Apeknk32.exe
File opened for modification	C:\Windows\SysWOW64\Fnalmh32.exe	Eqmlccdi.exe
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fjhmbihg.exe
File opened for modification	C:\Windows\SysWOW64\Omfekbdh.exe	Nbebbk32.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Pencqe32.dll	Pmmlla32.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Bfaigclq.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Dnljkk32.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Ekimjn32.exe	Dnljkk32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Hjcakafa.dll	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
File created	C:\Windows\SysWOW64\Faoiogei.dll	Lplfcf32.exe
File opened for modification	C:\Windows\SysWOW64\Pmmlla32.exe	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Apeknk32.exe	Qiiflaoo.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Dnljkk32.exe
File created	C:\Windows\SysWOW64\Cmgilf32.dll	Mokfja32.exe
File opened for modification	C:\Windows\SysWOW64\Nbphglbe.exe	Nhegig32.exe
File opened for modification	C:\Windows\SysWOW64\Bbaclegm.exe	Afockelf.exe
File created	C:\Windows\SysWOW64\Nodeaima.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Lplfcf32.exe	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
File opened for modification	C:\Windows\SysWOW64\Mjpjgj32.exe	Mokfja32.exe
File created	C:\Windows\SysWOW64\Nbphglbe.exe	Nhegig32.exe
File created	C:\Windows\SysWOW64\Pfgbakef.dll	Omfekbdh.exe
File opened for modification	C:\Windows\SysWOW64\Qiiflaoo.exe	Pcgdhkem.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Iolgql32.dll	Fjhmbihg.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Mjpjgj32.exe	Mokfja32.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bbaclegm.exe
File created	C:\Windows\SysWOW64\Icpjna32.dll	Cmbgdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3528	3936	WerFault.exe	123

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nhegig32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnoeb32.dll"	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mjpjgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Apeknk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocmhlca.dll"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjbaohka.dll"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjcakafa.dll"	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfgbakef.dll"	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pmmlla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afockelf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emkcbcna.dll"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qiiflaoo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afockelf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bbaclegm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqmlccdi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgilf32.dll"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mokfja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pcgdhkem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfaigclq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dnljkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojimfh32.dll"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnidqf32.dll"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Lplfcf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll"	Nhegig32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pcgdhkem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbaclegm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Bfaigclq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fjhmbihg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll"	Mjpjgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaidib32.dll"	Nbebbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Eqmlccdi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll"	Mlhqcgnk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khihgadg.dll"	Qiiflaoo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Lplfcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Mohidbkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Nbebbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Omfekbdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodeaima.dll"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fjhmbihg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 3540	4108	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe	96
PID 4108 wrote to memory of 3540	4108	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe	96
PID 4108 wrote to memory of 3540	4108	2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe	96
PID 3540 wrote to memory of 4336	3540	Lplfcf32.exe	97
PID 3540 wrote to memory of 4336	3540	Lplfcf32.exe	97
PID 3540 wrote to memory of 4336	3540	Lplfcf32.exe	97
PID 4336 wrote to memory of 4400	4336	Mlhqcgnk.exe	98
PID 4336 wrote to memory of 4400	4336	Mlhqcgnk.exe	98
PID 4336 wrote to memory of 4400	4336	Mlhqcgnk.exe	98
PID 4400 wrote to memory of 3804	4400	Mohidbkl.exe	99
PID 4400 wrote to memory of 3804	4400	Mohidbkl.exe	99
PID 4400 wrote to memory of 3804	4400	Mohidbkl.exe	99
PID 3804 wrote to memory of 3260	3804	Mokfja32.exe	100
PID 3804 wrote to memory of 3260	3804	Mokfja32.exe	100
PID 3804 wrote to memory of 3260	3804	Mokfja32.exe	100
PID 3260 wrote to memory of 3412	3260	Mjpjgj32.exe	101
PID 3260 wrote to memory of 3412	3260	Mjpjgj32.exe	101
PID 3260 wrote to memory of 3412	3260	Mjpjgj32.exe	101
PID 3412 wrote to memory of 4660	3412	Nhegig32.exe	102
PID 3412 wrote to memory of 4660	3412	Nhegig32.exe	102
PID 3412 wrote to memory of 4660	3412	Nhegig32.exe	102
PID 4660 wrote to memory of 1228	4660	Nbphglbe.exe	103
PID 4660 wrote to memory of 1228	4660	Nbphglbe.exe	103
PID 4660 wrote to memory of 1228	4660	Nbphglbe.exe	103
PID 1228 wrote to memory of 1768	1228	Nbebbk32.exe	104
PID 1228 wrote to memory of 1768	1228	Nbebbk32.exe	104
PID 1228 wrote to memory of 1768	1228	Nbebbk32.exe	104
PID 1768 wrote to memory of 1584	1768	Omfekbdh.exe	105
PID 1768 wrote to memory of 1584	1768	Omfekbdh.exe	105
PID 1768 wrote to memory of 1584	1768	Omfekbdh.exe	105
PID 1584 wrote to memory of 4532	1584	Pmmlla32.exe	106
PID 1584 wrote to memory of 4532	1584	Pmmlla32.exe	106
PID 1584 wrote to memory of 4532	1584	Pmmlla32.exe	106
PID 4532 wrote to memory of 3880	4532	Pcgdhkem.exe	107
PID 4532 wrote to memory of 3880	4532	Pcgdhkem.exe	107
PID 4532 wrote to memory of 3880	4532	Pcgdhkem.exe	107
PID 3880 wrote to memory of 4552	3880	Qiiflaoo.exe	109
PID 3880 wrote to memory of 4552	3880	Qiiflaoo.exe	109
PID 3880 wrote to memory of 4552	3880	Qiiflaoo.exe	109
PID 4552 wrote to memory of 1420	4552	Apeknk32.exe	110
PID 4552 wrote to memory of 1420	4552	Apeknk32.exe	110
PID 4552 wrote to memory of 1420	4552	Apeknk32.exe	110
PID 1420 wrote to memory of 2952	1420	Afockelf.exe	111
PID 1420 wrote to memory of 2952	1420	Afockelf.exe	111
PID 1420 wrote to memory of 2952	1420	Afockelf.exe	111
PID 2952 wrote to memory of 1608	2952	Bbaclegm.exe	112
PID 2952 wrote to memory of 1608	2952	Bbaclegm.exe	112
PID 2952 wrote to memory of 1608	2952	Bbaclegm.exe	112
PID 1608 wrote to memory of 5060	1608	Babcil32.exe	113
PID 1608 wrote to memory of 5060	1608	Babcil32.exe	113
PID 1608 wrote to memory of 5060	1608	Babcil32.exe	113
PID 5060 wrote to memory of 3292	5060	Bfaigclq.exe	114
PID 5060 wrote to memory of 3292	5060	Bfaigclq.exe	114
PID 5060 wrote to memory of 3292	5060	Bfaigclq.exe	114
PID 3292 wrote to memory of 3196	3292	Cmbgdl32.exe	115
PID 3292 wrote to memory of 3196	3292	Cmbgdl32.exe	115
PID 3292 wrote to memory of 3196	3292	Cmbgdl32.exe	115
PID 3196 wrote to memory of 3568	3196	Cdolgfbp.exe	116
PID 3196 wrote to memory of 3568	3196	Cdolgfbp.exe	116
PID 3196 wrote to memory of 3568	3196	Cdolgfbp.exe	116
PID 3568 wrote to memory of 1088	3568	Dnljkk32.exe	117
PID 3568 wrote to memory of 1088	3568	Dnljkk32.exe	117
PID 3568 wrote to memory of 1088	3568	Dnljkk32.exe	117
PID 1088 wrote to memory of 4644	1088	Ekimjn32.exe	118

C:\Users\Admin\AppData\Local\Temp\2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe
"C:\Users\Admin\AppData\Local\Temp\2d28f82c5efd130c7689a2ce8b148600ee81fe40bacd12a4a285ae30a6b625c1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Windows\SysWOW64\Lplfcf32.exe
  C:\Windows\system32\Lplfcf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3540
- - C:\Windows\SysWOW64\Mlhqcgnk.exe
    C:\Windows\system32\Mlhqcgnk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\Mohidbkl.exe
      C:\Windows\system32\Mohidbkl.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\SysWOW64\Mokfja32.exe
        
        C:\Windows\system32\Mokfja32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
      - C:\Windows\SysWOW64\Mjpjgj32.exe
        
        C:\Windows\system32\Mjpjgj32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\SysWOW64\Nhegig32.exe
        
        C:\Windows\system32\Nhegig32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\SysWOW64\Nbebbk32.exe
        
        C:\Windows\system32\Nbebbk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\SysWOW64\Omfekbdh.exe
        
        C:\Windows\system32\Omfekbdh.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Pmmlla32.exe
        
        C:\Windows\system32\Pmmlla32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1584
        
        C:\Windows\SysWOW64\Pcgdhkem.exe
        
        C:\Windows\system32\Pcgdhkem.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4532
        
        C:\Windows\SysWOW64\Qiiflaoo.exe
        
        C:\Windows\system32\Qiiflaoo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Apeknk32.exe
        
        C:\Windows\system32\Apeknk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Afockelf.exe
        
        C:\Windows\system32\Afockelf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Bbaclegm.exe
        
        C:\Windows\system32\Bbaclegm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\SysWOW64\Bfaigclq.exe
        
        C:\Windows\system32\Bfaigclq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Dnljkk32.exe
        
        C:\Windows\system32\Dnljkk32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Eqmlccdi.exe
        
        C:\Windows\system32\Eqmlccdi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Fjhmbihg.exe
        
        C:\Windows\system32\Fjhmbihg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4524
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1416
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        27⤵
        Executes dropped EXE
        
        PID:3936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 412
        28⤵
        Program crash
        
        PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3936 -ip 3936
1⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afockelf.exe

Filesize
108KB

MD5
b5ed2fedc2439e431ab99312429cd6a4

SHA1
fdee0c7e0396458565d66bf865a48e1b1bc38f47

SHA256
8ed71045eb894cae269c1a621b3466afc819ff7dbde0dfb35b618e1f5935d82e

SHA512
79ae677bbee5118589855278c7794547aee2bc49dca00e8080087ea1d37b7d3b498916cb4e042d9ea31e98a10295efb291220ee8a65ed0638f996ff14adc64b7

Download Submit
C:\Windows\SysWOW64\Apeknk32.exe

Filesize
108KB

MD5
cead91eece3cdc72026f3077c7a0fdaf

SHA1
cdca0423084f6b18f1c3b52054e19a770bfb4239

SHA256
98fc90fa32049f5f013877aa3d43905bfb566ea3c767d8139b64bc5b4600cb65

SHA512
9c36022c656abb55baa75a78277f73d78e46bb0420d8091972622f9f788ab69940c7c86f89b296ceba7be7312fba2ea3478f43cea0ad0be98a09733f12199aac

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
108KB

MD5
4bf4ab98bc5524e83f75222fd3d91839

SHA1
8e9bf4063f8f186685e760455b9287af299a1c8f

SHA256
3d2a6a87229d7db43bb61bcbf95c2acead5f4c7a3aea3a5e0c9e30bd61a90005

SHA512
1ec207d9597da526bf10db99ba8f0c55262c8638ff5d3fa0740597f81d6e4a86ae5fcd500032b2cc52f947f66f121d998c4e2d72ac79dc4eb5432e8fb31987cd

Download Submit
C:\Windows\SysWOW64\Bbaclegm.exe

Filesize
108KB

MD5
454ff81cfe953d80e8108583de02df45

SHA1
321eaa3eabbc305e66c687df3ffc33c4419bacde

SHA256
564c1fef00de982f56e96c22c595719b3efa49e0f5d557306b1f9920e17601af

SHA512
0186679463719c6702e2fe4bec151ac61659babbb7212f138e25dfebba91c27701f48fe940cbeb582fbbd300aa06b40307d8bd6480cba13365058dc4793c8809

Download Submit
C:\Windows\SysWOW64\Bfaigclq.exe

Filesize
108KB

MD5
4e4c406a7dd24f100875b323b4917a1f

SHA1
58d531cea2c5ee71075eaadb1fadb90d3ebae5e9

SHA256
f7a48e0f120b6fd73e864f36c763a6021f61c2f750c7f74aea4cedbb0defb999

SHA512
66e840d99dbb227266c28fb4674522f1a68a8675504e336b931ee56e8a52e51200606fa4c814a461c91abcccf93725436ea8def7e58e2c582e9dbbecb7bd1578

Download Submit
C:\Windows\SysWOW64\Cdolgfbp.exe

Filesize
108KB

MD5
6914fb7f19840635b5af3e07e73d9ea8

SHA1
53121653a120239cc800148b356f56cc6ee15d3b

SHA256
9dc93b56996db4e63afcc88be6ae83e65e0ca95eb39790891b677c31b82e0e11

SHA512
c9a8b90db234e8294ddc6bda012a0aa0026a46ac1ee9876afeab10d0ca7a91dde26afd7e587e790c82257f74453cb369f0edbee418ee8bf61a0641269f83d727

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
108KB

MD5
e96fd5d8189fa5dfd4ee4914503d9d73

SHA1
a710eaebedf6894afa49ae02b046320a3ad5e672

SHA256
fa2f9f67cf2975b213328ccc321e62f927c877e217125be6c21389d69a4d1d7b

SHA512
fa504aae63230c44c199d256434d8a80e9e1412fa3ac72b420342811a319ed1e94c4f881f08ad06d80c7530ed77293c4868ed34a77ee7af73724aee4ce6d9f0f

Download Submit
C:\Windows\SysWOW64\Cmgilf32.dll

Filesize
7KB

MD5
fd81d49214aaa422a5d1d28a0a031783

SHA1
3e99ec6d8f8c3389a2159a69d7d9e1fb4c62d289

SHA256
0090d0ebe7b8b8aab08282294b868b70b2fc7ec4934d6c73eb3759382156d5a2

SHA512
8b28389416da9dc00fbc8c2954c7d4cd12722f54eb107e2d38ed3cce2affc1a0a40e12605c9c37a20038498f776ec1b4fed685413c2cef8dadab30aec6eea5fd

Download Submit
C:\Windows\SysWOW64\Dnljkk32.exe

Filesize
108KB

MD5
e2710c4589db73c37390dc8bafe8c00b

SHA1
487fbccc7f2764ab9b818f924aa3a52c13c4b62c

SHA256
7acc662b7b64bf05eeb48bb8406f318f4f9386413deeb12b263dd9c7d616bdc0

SHA512
a71073af4cd9fd480362f344e07b75c1531f9ca643a9da3a9db3006616ad60d63853ee9738d2c6f63577074636c20be7369a2c3fc320b8162a0a6d1e0bc452d9

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
108KB

MD5
0727d3b22991829f389ea22fe2234a28

SHA1
49b0cc96241e225e7f414805ec3ac6b61072b5e5

SHA256
688abc3c076a3fdbaf596d389918fd73ce66efed222a662d560310134967b6f8

SHA512
04c01be2a0b935fc98c302e7caace6d17f4d9910114acbd908ed3e7a1d248c213bffa43aaed94e798d85cca8fa50c84f401c910dd649e02b7ebefffac3fca038

Download Submit
C:\Windows\SysWOW64\Eqmlccdi.exe

Filesize
108KB

MD5
547888b90704bef8bcfa39018ba3f21c

SHA1
0ccdcfe8b4f9e5fb035d6d9563e842ddbcb2d353

SHA256
5b4769cefc4401761613ce292f98646b2adfac222703a88341b56ea60a82a28c

SHA512
62db9fcca1732fa77df59e65d803c5989a8e1d9f0df670a7339cfc1da3ec5d7b8d01b52c9c9ba7c57f8ab896be84057f4cd545a8e518b6655609c9052530b17a

Download Submit
C:\Windows\SysWOW64\Fjhmbihg.exe

Filesize
108KB

MD5
61e78851d8206f582dcbd055aaba52bf

SHA1
ef0698fdbca90c7bb88d97d48df43fc8e8417b10

SHA256
8d9c91b298113a311de952f68f11895175afd932ae0e38abeb80f0a991250f95

SHA512
e6e2c757f3212f7210cad2218e34f5843c92fbdb482f0a995bb4546ea6e54224ad8de63ad4bdef03e67134663ad10f7d224fd30960eca986640bac74dbd172ff

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
108KB

MD5
5d9c760ccaf48e58f6ce0ef9209bddea

SHA1
8141164966a15a1222d38869ea5bb5056e59efb2

SHA256
44607adc2b9aa45f4c99a4b88de97e0151aad42d388e1b021d21fe0c54df7710

SHA512
1f9c8958637f04ba8375863e5ed53def8f67c2c27add86bb9b765fc7a748090ee1a8ee65da732b8f77dc9c77de018eafce44b4674f24b04bb9ea162d9d5a8a57

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
108KB

MD5
1f5e8024ddf8021f1d677a4e4ae00706

SHA1
15f43ce7cffb19727506b8bc0f8f98b6f6349e2c

SHA256
1115cd23ce5a21d1fe3d76e48d25ee7c5edbb4297419bfaf3d8b48911919d2b6

SHA512
d8d77f240fcd3eb8b782994ebc114418fcf5e7f03aa8141b0fe10abf3195a11ca5fd8e2d248556837353ba4467fefe745e2924e6971bf35ccf8929cd9d0b405a

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
108KB

MD5
34a344871839c3398ca3118eacd72f16

SHA1
ac8b29ae5db4fed739cd3c077b66a49e67608c23

SHA256
0616c06298e843dfe30dab9a501a7d7174e9d2d9b37d3c1aa9d20501d62c5e5d

SHA512
391dd5cb75771f05261e8af7a7a91e26a3d698a5798e13b7e2258ec955b572afb976ea9e302453a7dcd7b58f29a9505d1c52aba23a744cba252ed4413aa9a9d2

Download Submit
C:\Windows\SysWOW64\Lplfcf32.exe

Filesize
108KB

MD5
f617c3ba26bbd10d65aeebd24899b33d

SHA1
611082d44e9719188d510ff9811f2d3034eb8549

SHA256
d50a8f441463f4503ad8cdf070d46eb41f8b1278a6e93eee5271bb9f51c35887

SHA512
46e69c6b040481e9f0e32e92c27d6961c980006ce0b5c8b8a43b7623817d48750bdc06d9c7c574eb1665692a3ec252e37f40d1f9901c7d4d5dd9b6be3f1cf25b

Download Submit
C:\Windows\SysWOW64\Mjpjgj32.exe

Filesize
108KB

MD5
f0651203e7871222e17e672f8985e78c

SHA1
42b6d788af48f0ded6a7bfe20ddcc551813355f7

SHA256
0d49c870e1dc7ade9c0fa0f26fa82a60d9d48224bedb98eeb27f3b368c9f0589

SHA512
30be917faf1b370ff930dd37db781a1885a824752c8e8735a832fa6d76d143e3253272c48425c50dc8b5526e494edfdb1a558f845f6478cf3c2748127421d865

Download Submit
C:\Windows\SysWOW64\Mlhqcgnk.exe

Filesize
108KB

MD5
c82c9453bd6c333901f32beb437c2346

SHA1
69c3691597c4ba53cb0fa26bdf9e120d5732e24c

SHA256
5312548da8d4203207d05a84ae299c80d8419b1a994de1b200c506409f4e6bf9

SHA512
147e7a33bfb8e02bad481b1e59e80083082fec31d93ea6ea3d38c285d5c89cb1fc55bc82e1ab8f0449b15fa1628e847072141c88923e91c7bd1ba46b9c8d5645

Download Submit
C:\Windows\SysWOW64\Mohidbkl.exe

Filesize
108KB

MD5
774cb49d35c839d4f1eb593fe9110807

SHA1
e8081e3ad130f1d553600a7058b1f77d39f7fd7f

SHA256
4ccf8d6ab48c03f398085d5c32dc8156eab3727b42e336a50a825ea61093022d

SHA512
378fed9cb37b17f03557af09a95481ea66b764282d788a61bdc39f7d6ac5fb57f64ca3353f9e9240f527b743f5b9e685ca1314a420b459ca44d45fa5e8d7e0d8

Download Submit
C:\Windows\SysWOW64\Mokfja32.exe

Filesize
108KB

MD5
9d63771a8ac5f00dfe96413f62558d25

SHA1
2e5ae258fb2a4040930d667fe0553263f4f3ec45

SHA256
4c3cbfa94b86a79542b31086f8f8435ced90a1af128c4e3bd4450b8a7dadd9ff

SHA512
f0d1d9a3ec4710e1d45b3ab74299675fdff1f18aca44744aa1501d017314565e9848a2bed77e53a216dc325564f5cbb4a50dfdeb9eca5bc9b7c5319b6f13e227

Download Submit
C:\Windows\SysWOW64\Nbebbk32.exe

Filesize
108KB

MD5
1d06097068e23c9357593eee07583bba

SHA1
ed0996606d4c67c20fe796f1942d4e84ebb4f614

SHA256
2312323608fd90e9afe374c22766a8a3926c042b61c6f21dbee3c506aff5ee7c

SHA512
61ae152082c77b08e65bed9e89b332e747f14caaec07da8a74ea1ccda133b30a0fbc069fcb3a32c24e7e9edd8bae5f4e2a7ca6a7d63c7eb57f170eb418d4a76d

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
108KB

MD5
d0917df7c10512156550a0ca84117a31

SHA1
b04405def78fa3c14dc8bf285d1c25693d03164e

SHA256
760e34febe4d2b0efd6c3abef2f33ac593e0012d4fcb50548fa1591c3b3693e1

SHA512
bf53818e7f07bd8517a722b55b671fdf4b572ef7248748f07a1cbd8c25a19fdcc895434690410787a0b0e3ff510cc3dea029844bf7cbb6f9cacb5c7da62b25c0

Download Submit
C:\Windows\SysWOW64\Nhegig32.exe

Filesize
108KB

MD5
e388d4c466ce1c26d2a8350ba30084a1

SHA1
c353cc3de4670c74d153cf4821caa9e9c9cfa651

SHA256
17a89b0c49cfcb6dc042ebc2d317abb7f8655f3d077529223c6be0cf77aa0254

SHA512
19fb70acd9715925ae150a59d3eb1ffe0df038b2a4c9f51d063d3dfc018fd450f3f734d6b87b1de3b3e6b4aa1ea0332440ca3578327ca297a183ab61c9446252

Download Submit
C:\Windows\SysWOW64\Omfekbdh.exe

Filesize
108KB

MD5
76f5d50e841b5cb8b911814b962e909e

SHA1
fb18c64a30036d1e98f65c7e1f8fe03e8d47be2f

SHA256
39fbdd2c9982a949bf950de7c8d7e720008597bc8b0679eb5eda1b405683e398

SHA512
2635db733ec67f16c42b727d21152ba9b8a2500343a2cc865f920d2fff9f4816a09f6886de272f3f347c6e5d450f853f0e3aa065ad001d63317b452700830cbf

Download Submit
C:\Windows\SysWOW64\Pcgdhkem.exe

Filesize
108KB

MD5
6d5a107df71d264c9dc7814920199894

SHA1
77b369115da93f9b1984b28c1f0b8053c2fa14db

SHA256
aa369ee13aa057ce24946b360333bcea13fcd3bf8468c82f12164ed1442b6ade

SHA512
ecc4f1c499590de8ccde166615d0ae4cdeeb042f7860eab94bcc2801c6dd6a3c0db534da839312b5bc9e824a654cfdca40e6fa303cdd8f9159e82c46ff87bc18

Download Submit
C:\Windows\SysWOW64\Pmmlla32.exe

Filesize
108KB

MD5
880cb3a5a0ae188f988b33ea06b6ac6f

SHA1
3c80f174abf799e0b4002cad07c28b5b2a1583c9

SHA256
e5d2a6ba41ed093c3100774c948ac8caca73c2e46e39311213b91e761e46d5c4

SHA512
c9bf1a5ac45a81394b4e3d792e0fe9112ecb38d0498387bf00f81dea6bccbc9da24a64cfde648e246b6e6c3574944961d71a548491afd46aaeea8d55f37bb723

Download Submit
C:\Windows\SysWOW64\Qiiflaoo.exe

Filesize
108KB

MD5
644b273e7d8e2016758b453077d4acd9

SHA1
082baec74d58c0b490285aceb800ba03421eeb07

SHA256
c568d68e8ddc4b5ee3b553900b329bd6c8b2e14212a7a0b24bbc8a250f6df897

SHA512
76205f43d3f3c03ea7a7225391f41b9b8672793452bdf8f81e14d22be4209759a6e79b3a931795be26b382256069fcb5ca6ecf2a91366e746c5773afdafea9e6

Download Submit
memory/1088-168-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1088-237-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1228-264-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1228-63-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-230-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1416-200-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1420-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1420-252-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1584-260-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1584-80-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1608-248-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1608-128-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-262-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2952-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-234-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3068-184-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3196-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3196-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-270-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3260-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3292-244-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3292-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3412-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3540-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3540-278-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-240-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3568-165-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3804-272-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3880-256-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3936-229-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4108-279-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4108-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4336-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4400-274-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4524-193-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4532-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-254-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4552-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4644-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4644-239-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-266-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4660-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-246-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads