9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/04/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Size

402KB
MD5

1db5b8cbd6e06f07897914da167fbb6c
SHA1

25ac4b64a699b0656ce2647f6ae133233b569079
SHA256

9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641
SHA512

43d9f4864a18e86dcab54233f15f5a659dca54fee0b0edf55b61d9c510dacc78fd57662ef7920ffd73f398ea8e4e45cf4fb3620b7c83d53c8c57586742b62189
SSDEEP

6144:j6BlZ1DoYPvTpN0xHuwdkAj51VezfHZ3neNZpGkXo+TCCYOs5PHdC:juU

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ikkjbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ikkjbe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Behnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caknol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jghmfhmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Magqncba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckccgane.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kbidgeci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdniqh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Igakgfpn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckccgane.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbopgb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jjbpgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbopgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Modkfi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lmikibio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lfdmggnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Igakgfpn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jghmfhmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nodgel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gdniqh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Lfdmggnm.exe

Executes dropped EXE 28 IoCs

pid	Process
2736	Bjlqhoba.exe
2592	Behnnm32.exe
2568	Bbokmqie.exe
2372	Cdbdjhmp.exe
2580	Caknol32.exe
2492	Ckccgane.exe
1596	Ddgjdk32.exe
2532	Dggcffhg.exe
2416	Enfenplo.exe
2004	Enhacojl.exe
580	Fbopgb32.exe
1012	Gdniqh32.exe
1764	Ikkjbe32.exe
2392	Igakgfpn.exe
1944	Ileiplhn.exe
2368	Jjbpgd32.exe
1064	Jghmfhmb.exe
2404	Kqqboncb.exe
1880	Kbidgeci.exe
984	Lndohedg.exe
2412	Lmikibio.exe
2180	Lfdmggnm.exe
2528	Mlcbenjb.exe
2176	Modkfi32.exe
1756	Mkmhaj32.exe
1576	Magqncba.exe
2080	Nodgel32.exe
2992	Nlhgoqhh.exe

Loads dropped DLL 60 IoCs

pid	Process
2908	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
2908	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
2736	Bjlqhoba.exe
2736	Bjlqhoba.exe
2592	Behnnm32.exe
2592	Behnnm32.exe
2568	Bbokmqie.exe
2568	Bbokmqie.exe
2372	Cdbdjhmp.exe
2372	Cdbdjhmp.exe
2580	Caknol32.exe
2580	Caknol32.exe
2492	Ckccgane.exe
2492	Ckccgane.exe
1596	Ddgjdk32.exe
1596	Ddgjdk32.exe
2532	Dggcffhg.exe
2532	Dggcffhg.exe
2416	Enfenplo.exe
2416	Enfenplo.exe
2004	Enhacojl.exe
2004	Enhacojl.exe
580	Fbopgb32.exe
580	Fbopgb32.exe
1012	Gdniqh32.exe
1012	Gdniqh32.exe
1764	Ikkjbe32.exe
1764	Ikkjbe32.exe
2392	Igakgfpn.exe
2392	Igakgfpn.exe
1944	Ileiplhn.exe
1944	Ileiplhn.exe
2368	Jjbpgd32.exe
2368	Jjbpgd32.exe
1064	Jghmfhmb.exe
1064	Jghmfhmb.exe
2404	Kqqboncb.exe
2404	Kqqboncb.exe
1880	Kbidgeci.exe
1880	Kbidgeci.exe
984	Lndohedg.exe
984	Lndohedg.exe
2412	Lmikibio.exe
2412	Lmikibio.exe
2180	Lfdmggnm.exe
2180	Lfdmggnm.exe
2528	Mlcbenjb.exe
2528	Mlcbenjb.exe
2176	Modkfi32.exe
2176	Modkfi32.exe
1756	Mkmhaj32.exe
1756	Mkmhaj32.exe
1576	Magqncba.exe
1576	Magqncba.exe
2080	Nodgel32.exe
2080	Nodgel32.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe
2668	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fbopgb32.exe	Enhacojl.exe
File opened for modification	C:\Windows\SysWOW64\Ileiplhn.exe	Igakgfpn.exe
File opened for modification	C:\Windows\SysWOW64\Jghmfhmb.exe	Jjbpgd32.exe
File created	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File opened for modification	C:\Windows\SysWOW64\Ddgjdk32.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Iodahd32.dll	Gdniqh32.exe
File created	C:\Windows\SysWOW64\Opdnhdpo.dll	Kbidgeci.exe
File opened for modification	C:\Windows\SysWOW64\Lmikibio.exe	Lndohedg.exe
File opened for modification	C:\Windows\SysWOW64\Modkfi32.exe	Mlcbenjb.exe
File created	C:\Windows\SysWOW64\Magqncba.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Cnjgia32.dll	Magqncba.exe
File created	C:\Windows\SysWOW64\Jjbpgd32.exe	Ileiplhn.exe
File opened for modification	C:\Windows\SysWOW64\Kqqboncb.exe	Jghmfhmb.exe
File created	C:\Windows\SysWOW64\Fhhmapcq.dll	Lmikibio.exe
File opened for modification	C:\Windows\SysWOW64\Mlcbenjb.exe	Lfdmggnm.exe
File opened for modification	C:\Windows\SysWOW64\Mkmhaj32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Ekjajfei.dll	Behnnm32.exe
File created	C:\Windows\SysWOW64\Cdbdjhmp.exe	Bbokmqie.exe
File opened for modification	C:\Windows\SysWOW64\Ckccgane.exe	Caknol32.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Enfenplo.exe
File created	C:\Windows\SysWOW64\Ileiplhn.exe	Igakgfpn.exe
File created	C:\Windows\SysWOW64\Kqqboncb.exe	Jghmfhmb.exe
File created	C:\Windows\SysWOW64\Hkijpd32.dll	Lndohedg.exe
File opened for modification	C:\Windows\SysWOW64\Magqncba.exe	Mkmhaj32.exe
File created	C:\Windows\SysWOW64\Opfdll32.dll	Cdbdjhmp.exe
File opened for modification	C:\Windows\SysWOW64\Gdniqh32.exe	Fbopgb32.exe
File created	C:\Windows\SysWOW64\Lamajm32.dll	Nodgel32.exe
File created	C:\Windows\SysWOW64\Dglpkenb.dll	Caknol32.exe
File opened for modification	C:\Windows\SysWOW64\Enhacojl.exe	Enfenplo.exe
File opened for modification	C:\Windows\SysWOW64\Ikkjbe32.exe	Gdniqh32.exe
File opened for modification	C:\Windows\SysWOW64\Nodgel32.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Nlhgoqhh.exe	Nodgel32.exe
File created	C:\Windows\SysWOW64\Bbokmqie.exe	Behnnm32.exe
File created	C:\Windows\SysWOW64\Mhofcjea.dll	Ddgjdk32.exe
File opened for modification	C:\Windows\SysWOW64\Enfenplo.exe	Dggcffhg.exe
File opened for modification	C:\Windows\SysWOW64\Bjlqhoba.exe	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
File opened for modification	C:\Windows\SysWOW64\Behnnm32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Mncfoa32.dll	Fbopgb32.exe
File created	C:\Windows\SysWOW64\Lmikibio.exe	Lndohedg.exe
File created	C:\Windows\SysWOW64\Lfdmggnm.exe	Lmikibio.exe
File created	C:\Windows\SysWOW64\Behnnm32.exe	Bjlqhoba.exe
File created	C:\Windows\SysWOW64\Qocjhb32.dll	Jghmfhmb.exe
File created	C:\Windows\SysWOW64\Mkmhaj32.exe	Modkfi32.exe
File created	C:\Windows\SysWOW64\Nodgel32.exe	Magqncba.exe
File opened for modification	C:\Windows\SysWOW64\Caknol32.exe	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Ckccgane.exe	Caknol32.exe
File created	C:\Windows\SysWOW64\Oakomajq.dll	Ckccgane.exe
File created	C:\Windows\SysWOW64\Lchkpi32.dll	Dggcffhg.exe
File created	C:\Windows\SysWOW64\Igakgfpn.exe	Ikkjbe32.exe
File created	C:\Windows\SysWOW64\Dljnnb32.dll	Ikkjbe32.exe
File opened for modification	C:\Windows\SysWOW64\Kbidgeci.exe	Kqqboncb.exe
File opened for modification	C:\Windows\SysWOW64\Cdbdjhmp.exe	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Pbkafj32.dll	Bbokmqie.exe
File created	C:\Windows\SysWOW64\Caknol32.exe	Cdbdjhmp.exe
File created	C:\Windows\SysWOW64\Ddgjdk32.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Ifiacd32.dll	Enhacojl.exe
File created	C:\Windows\SysWOW64\Ikkjbe32.exe	Gdniqh32.exe
File created	C:\Windows\SysWOW64\Nmfmhhoj.dll	Igakgfpn.exe
File created	C:\Windows\SysWOW64\Mlcbenjb.exe	Lfdmggnm.exe
File created	C:\Windows\SysWOW64\Qaqkcf32.dll	Modkfi32.exe
File created	C:\Windows\SysWOW64\Bjlqhoba.exe	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
File opened for modification	C:\Windows\SysWOW64\Dggcffhg.exe	Ddgjdk32.exe
File created	C:\Windows\SysWOW64\Pelggd32.dll	Kqqboncb.exe
File created	C:\Windows\SysWOW64\Bplpldoa.dll	Bjlqhoba.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2668	2992	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oakomajq.dll"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enhacojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Igakgfpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kqqboncb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opfdll32.dll"	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkijpd32.dll"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll"	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdbdjhmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdbdjhmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gdniqh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ikkjbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mlcbenjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mlcbenjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjlqhoba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll"	Jjbpgd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Kbidgeci.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Nodgel32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglpkenb.dll"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchkpi32.dll"	Dggcffhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljnnb32.dll"	Ikkjbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jghmfhmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplpldoa.dll"	Bjlqhoba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caknol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbopgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelggd32.dll"	Kqqboncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lfdmggnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qocjhb32.dll"	Jghmfhmb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dggcffhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbopgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Mkmhaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhofcjea.dll"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jghmfhmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaqkcf32.dll"	Modkfi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll"	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkafj32.dll"	Bbokmqie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbokmqie.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncfoa32.dll"	Fbopgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Igakgfpn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Mkmhaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lamajm32.dll"	Nodgel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enfenplo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ikkjbe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lndohedg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhgoi32.dll"	Ileiplhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Jjbpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnjgia32.dll"	Magqncba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Lmikibio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggbhk32.dll"	Mlcbenjb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2736	2908	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	28
PID 2908 wrote to memory of 2736	2908	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	28
PID 2908 wrote to memory of 2736	2908	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	28
PID 2908 wrote to memory of 2736	2908	9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe	28
PID 2736 wrote to memory of 2592	2736	Bjlqhoba.exe	29
PID 2736 wrote to memory of 2592	2736	Bjlqhoba.exe	29
PID 2736 wrote to memory of 2592	2736	Bjlqhoba.exe	29
PID 2736 wrote to memory of 2592	2736	Bjlqhoba.exe	29
PID 2592 wrote to memory of 2568	2592	Behnnm32.exe	30
PID 2592 wrote to memory of 2568	2592	Behnnm32.exe	30
PID 2592 wrote to memory of 2568	2592	Behnnm32.exe	30
PID 2592 wrote to memory of 2568	2592	Behnnm32.exe	30
PID 2568 wrote to memory of 2372	2568	Bbokmqie.exe	31
PID 2568 wrote to memory of 2372	2568	Bbokmqie.exe	31
PID 2568 wrote to memory of 2372	2568	Bbokmqie.exe	31
PID 2568 wrote to memory of 2372	2568	Bbokmqie.exe	31
PID 2372 wrote to memory of 2580	2372	Cdbdjhmp.exe	32
PID 2372 wrote to memory of 2580	2372	Cdbdjhmp.exe	32
PID 2372 wrote to memory of 2580	2372	Cdbdjhmp.exe	32
PID 2372 wrote to memory of 2580	2372	Cdbdjhmp.exe	32
PID 2580 wrote to memory of 2492	2580	Caknol32.exe	33
PID 2580 wrote to memory of 2492	2580	Caknol32.exe	33
PID 2580 wrote to memory of 2492	2580	Caknol32.exe	33
PID 2580 wrote to memory of 2492	2580	Caknol32.exe	33
PID 2492 wrote to memory of 1596	2492	Ckccgane.exe	34
PID 2492 wrote to memory of 1596	2492	Ckccgane.exe	34
PID 2492 wrote to memory of 1596	2492	Ckccgane.exe	34
PID 2492 wrote to memory of 1596	2492	Ckccgane.exe	34
PID 1596 wrote to memory of 2532	1596	Ddgjdk32.exe	35
PID 1596 wrote to memory of 2532	1596	Ddgjdk32.exe	35
PID 1596 wrote to memory of 2532	1596	Ddgjdk32.exe	35
PID 1596 wrote to memory of 2532	1596	Ddgjdk32.exe	35
PID 2532 wrote to memory of 2416	2532	Dggcffhg.exe	36
PID 2532 wrote to memory of 2416	2532	Dggcffhg.exe	36
PID 2532 wrote to memory of 2416	2532	Dggcffhg.exe	36
PID 2532 wrote to memory of 2416	2532	Dggcffhg.exe	36
PID 2416 wrote to memory of 2004	2416	Enfenplo.exe	37
PID 2416 wrote to memory of 2004	2416	Enfenplo.exe	37
PID 2416 wrote to memory of 2004	2416	Enfenplo.exe	37
PID 2416 wrote to memory of 2004	2416	Enfenplo.exe	37
PID 2004 wrote to memory of 580	2004	Enhacojl.exe	38
PID 2004 wrote to memory of 580	2004	Enhacojl.exe	38
PID 2004 wrote to memory of 580	2004	Enhacojl.exe	38
PID 2004 wrote to memory of 580	2004	Enhacojl.exe	38
PID 580 wrote to memory of 1012	580	Fbopgb32.exe	39
PID 580 wrote to memory of 1012	580	Fbopgb32.exe	39
PID 580 wrote to memory of 1012	580	Fbopgb32.exe	39
PID 580 wrote to memory of 1012	580	Fbopgb32.exe	39
PID 1012 wrote to memory of 1764	1012	Gdniqh32.exe	40
PID 1012 wrote to memory of 1764	1012	Gdniqh32.exe	40
PID 1012 wrote to memory of 1764	1012	Gdniqh32.exe	40
PID 1012 wrote to memory of 1764	1012	Gdniqh32.exe	40
PID 1764 wrote to memory of 2392	1764	Ikkjbe32.exe	41
PID 1764 wrote to memory of 2392	1764	Ikkjbe32.exe	41
PID 1764 wrote to memory of 2392	1764	Ikkjbe32.exe	41
PID 1764 wrote to memory of 2392	1764	Ikkjbe32.exe	41
PID 2392 wrote to memory of 1944	2392	Igakgfpn.exe	42
PID 2392 wrote to memory of 1944	2392	Igakgfpn.exe	42
PID 2392 wrote to memory of 1944	2392	Igakgfpn.exe	42
PID 2392 wrote to memory of 1944	2392	Igakgfpn.exe	42
PID 1944 wrote to memory of 2368	1944	Ileiplhn.exe	43
PID 1944 wrote to memory of 2368	1944	Ileiplhn.exe	43
PID 1944 wrote to memory of 2368	1944	Ileiplhn.exe	43
PID 1944 wrote to memory of 2368	1944	Ileiplhn.exe	43

C:\Users\Admin\AppData\Local\Temp\9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe
"C:\Users\Admin\AppData\Local\Temp\9483d2fd9914f7c543497150b3730c643d71366395cf66469a1d8d548ce65641.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908
- C:\Windows\SysWOW64\Bjlqhoba.exe
  C:\Windows\system32\Bjlqhoba.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\Behnnm32.exe
    C:\Windows\system32\Behnnm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\SysWOW64\Bbokmqie.exe
      C:\Windows\system32\Bbokmqie.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\Cdbdjhmp.exe
        
        C:\Windows\system32\Cdbdjhmp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2372
      - C:\Windows\SysWOW64\Caknol32.exe
        
        C:\Windows\system32\Caknol32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Ckccgane.exe
        
        C:\Windows\system32\Ckccgane.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Ddgjdk32.exe
        
        C:\Windows\system32\Ddgjdk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Dggcffhg.exe
        
        C:\Windows\system32\Dggcffhg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\Enfenplo.exe
        
        C:\Windows\system32\Enfenplo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Fbopgb32.exe
        
        C:\Windows\system32\Fbopgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\SysWOW64\Gdniqh32.exe
        
        C:\Windows\system32\Gdniqh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Ikkjbe32.exe
        
        C:\Windows\system32\Ikkjbe32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\Igakgfpn.exe
        
        C:\Windows\system32\Igakgfpn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\SysWOW64\Ileiplhn.exe
        
        C:\Windows\system32\Ileiplhn.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Jjbpgd32.exe
        
        C:\Windows\system32\Jjbpgd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Jghmfhmb.exe
        
        C:\Windows\system32\Jghmfhmb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Kqqboncb.exe
        
        C:\Windows\system32\Kqqboncb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Kbidgeci.exe
        
        C:\Windows\system32\Kbidgeci.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\Lndohedg.exe
        
        C:\Windows\system32\Lndohedg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:984
        
        C:\Windows\SysWOW64\Lmikibio.exe
        
        C:\Windows\system32\Lmikibio.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Lfdmggnm.exe
        
        C:\Windows\system32\Lfdmggnm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Mlcbenjb.exe
        
        C:\Windows\system32\Mlcbenjb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Modkfi32.exe
        
        C:\Windows\system32\Modkfi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Mkmhaj32.exe
        
        C:\Windows\system32\Mkmhaj32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Magqncba.exe
        
        C:\Windows\system32\Magqncba.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Nodgel32.exe
        
        C:\Windows\system32\Nodgel32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Nlhgoqhh.exe
        
        C:\Windows\system32\Nlhgoqhh.exe
        29⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2992 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Behnnm32.exe

Filesize
402KB

MD5
5886f74b0dcaf372d23a35fde782e36b

SHA1
cc316aa9047a56ec973cbe8c3354e43b6f51774a

SHA256
14b8d4ada5d78d4661410ae41ea89c10e504a3ee7578041c0757004dda299202

SHA512
ed66b1eea246e36adc3660291a2550053c2c9afb450406ec1460b0a4997b5f6eee9b5a2a600415a4aa0bfee4c009fbea01f48159506d87b08c69573d11985526

Download Submit
C:\Windows\SysWOW64\Cdbdjhmp.exe

Filesize
402KB

MD5
eabeaced3ca02acc3dc91d09104e2fc8

SHA1
978f02e1783b2879f910f1d7b596c471e3f27e52

SHA256
84e08d0db806d2089750db751992fbd9a7af5887abb5ce11fc19b7400a1af150

SHA512
6efc684ef30c39091c973c94ac889bf974f3a24e941f5fcc2ffecfd0126304ffc00d46fb774b097582c730b27d5ca966257264b04bdf5ba26bb65eb137b08b84

Download Submit
C:\Windows\SysWOW64\Enfenplo.exe

Filesize
402KB

MD5
d02965f17a573036c81d95f1e37bd9c2

SHA1
575af41b294130d1263fa3064bca7c493ee41378

SHA256
402a3fcea798f6e0d94d9c0f79ef75343867a3396280b89749f86265eee2d88c

SHA512
63918eb0fe716f887c564db58b0b80ac9acd1acf1c7c1af99502bce5190fb4604326e124aca1542e8777d3816d1ff14146c8205089b3645b314da18bf208c76a

Download Submit
C:\Windows\SysWOW64\Jghmfhmb.exe

Filesize
402KB

MD5
e6cdf8853b6390098b192b08b202036a

SHA1
2d02f57b4815555c53bb3540ab25ee556f502ef1

SHA256
0355a7f914b348415b406238594571e5eadf5754a31278e7959e7fdfdcb6e02c

SHA512
0855f9de62bc4e877b6234586b9b1f42d296fc75606f3d51a15e52e043544243bc9455b856c20801efcd02628cd47a4d995e5622c5a582a91f81993f50342421

Download Submit
C:\Windows\SysWOW64\Kbidgeci.exe

Filesize
402KB

MD5
5a07b53fa45580393a942c17f54202ac

SHA1
04313234da04290f1154d66f4a7e078c9ec026fe

SHA256
07ee7fe226ff9cceab601f6e3e1d5ec0ec6b468cb0f98e6246c44162954e7b86

SHA512
dd4cd7407dea722bc870c1aac83b65fc080456e5324d9c407912e8a5d93d03815de168b6d5dc327d5ba379b8fbb9c7a88364412d6d4f1128e559d486d09177fe

Download Submit
C:\Windows\SysWOW64\Kqqboncb.exe

Filesize
402KB

MD5
2f50cdb8cd64b7b4959a0eede506db5a

SHA1
e1975ef5d94b5e28d81b17a7fb26694950216143

SHA256
114a7f0e059c4d0ad310e6711563622f5d4d075932b5e8f5dca9a2771b0f5c71

SHA512
8c9f21cb61827121eab9a7aa84346e27c11e5011acb3d55bc2b7f2dc60c91fcbbfb8e15cf1b27211c5a7a2235cbb10030a315ddf9549dc0ae53a07a76eca5972

Download Submit
C:\Windows\SysWOW64\Lfdmggnm.exe

Filesize
402KB

MD5
b7b50b82510078af742ec87a6cab2723

SHA1
2175d4034fbae79ae4848df97fca9d8ed8dbd94e

SHA256
1f4c7967a146558e0272a6a82dca96def3ac9e11ca4e9a62e1b2f09e6c190967

SHA512
0a81c99e97381e0d9ff23f075b228501c4cb85ab11467684172b31d4ed93c4523f05cabf13d686c8378f6a254b5122a906ff7de24f59132114043af1e137d841

Download Submit
C:\Windows\SysWOW64\Lmikibio.exe

Filesize
402KB

MD5
f0794d58c0db5908a5b003de076b296e

SHA1
b1452658e3c2604b04296e505ddca214783b1e3e

SHA256
99757e2984e01cdcafded28ccc96448b5150ee711be45a0250ca9bb9e060359c

SHA512
62a32a7a10ee08ba4164ff8ce18fb5fe6d4d74468135f06ad6a73cffe5b39449bbc5ef950f368c0d0e45fe14b8323329c1e749eb340f6e46488e3a0ae211a66c

Download Submit
C:\Windows\SysWOW64\Lndohedg.exe

Filesize
402KB

MD5
9ba50a2cfd47729c4668279775a68e7e

SHA1
110dbb54c798504f7aab9fe3d210c93c3b25ae85

SHA256
2822cfa996be7f5e9c42be7b083b9a392c9b83866c8a4afa9662ac1316cc7c72

SHA512
9359e760bbcbd5cf851574bd5caa87e16c4537741c0900890bd3deefce3d2e32201278fa155723ffdde5eff92ff3cddb11983502da200a5daa68bd490d1591cc

Download Submit
C:\Windows\SysWOW64\Magqncba.exe

Filesize
402KB

MD5
ea5d41f761e23ca6e8b5154b6fb51be2

SHA1
fcef6a78a7bef70fa8e1d60cbf380e92424e3cdc

SHA256
bc751cb10ad03549c0cfc026a06903b7a296342f42d8865ffb80d73ff0a91f53

SHA512
71a1f8b5d2ca272166d6290b9c45fd81cf9806e1a5e43d389b6b58fbe6c62f8226e1852a7a48053f174c949800431fb38b3f3acb18f308665f1c1f17bfea7749

Download Submit
C:\Windows\SysWOW64\Mkmhaj32.exe

Filesize
402KB

MD5
8ae0567409a66168a90fc8bb06be421a

SHA1
2a3c7151d0ec6d82722e168e52e4c7817b6dd39b

SHA256
b8a07190668e0ea4fe6faede616771554901a7f262e3ed85c384ef75386a81ab

SHA512
5b76a7e09691f4792447485e5dc7360a4591366aedb7f5536503988be75d149ea78b735d06f350c162e01b38d10d8cbcb00272fe8ad677b24910918753e6e760

Download Submit
C:\Windows\SysWOW64\Mlcbenjb.exe

Filesize
402KB

MD5
17f57ce533c529c97b3117c5236b5044

SHA1
2cd6d85175ca21f769508641e328527b9fb17eb7

SHA256
8bbfd46332499b7515ba9d0f023ac21bc717a3af594383d7e62243fff08697b6

SHA512
6a7b66d24100f257f736cc86936b82887acad39916166dd4b98a7d848ee28e9451b3d6bcd6a8567413ad56c86f668b26def219e7026a6f081acee51df66d524b

Download Submit
C:\Windows\SysWOW64\Modkfi32.exe

Filesize
402KB

MD5
c419042bfc5d13dca55ee9c87ac6d83a

SHA1
e289107b85a748af0d05cb9bba5dddb8aea81909

SHA256
0d40ddec6454183bc6c230fd0dbe63c78c4ce6914433d388efcc896ccd7ed17f

SHA512
99c4bd6ddbbb204862d8868f4ad04f598a621cc428fb39ea1cb31a788cd2bb302aefed383accc85fcca90e1f051c0369d3d565d8ca499a254311173181ce29ff

Download Submit
C:\Windows\SysWOW64\Nlhgoqhh.exe

Filesize
402KB

MD5
6e191723f33ea8837cd3c37ed52fd796

SHA1
1c2fdfa1422a432d0eb841c975b6f3c702632dc7

SHA256
05c0d856e6bba250e9c5c484d5c8ccbd8917493c6afbf981e8d2bf93c9a48fc3

SHA512
2129b44f40083207e166f5654e450179d95a7e4237f98e459bcc80444174d1abbae09a9ad975cef6de80c31d5e336cfbefbb23acf46a30be8c9a062a05d7160c

Download Submit
C:\Windows\SysWOW64\Nodgel32.exe

Filesize
402KB

MD5
b55d5182652a66870f4ac9c35edee1ed

SHA1
58e1c32175bd9dfb0d84e9c0b56370eaceb493a9

SHA256
fa497ee006320468c2b2f83ff116ffb0b6defae79094a0f17b2d4398485880ce

SHA512
520cfb420f1509b60c458acbec4e96e14f7799b984af1ad15688b0a630cd0edb155500aee869f56e1fab709d3b1e3cb3a7ed4d171b6910b2313257abf99b8c6a

Download Submit
C:\Windows\SysWOW64\Opfdll32.dll

Filesize
7KB

MD5
7007b9946e5b12ad5051cf1ecee15e84

SHA1
a6d4f79c9107b481937ace3f7808510f446fc2ba

SHA256
e867258ebb28e6204950f4119d178112fbb03e0e576e1b873fbba9111d5953cb

SHA512
a943e401606590ad20c6c2a1a757579b411ab846c48e9f1a219d43b97bd351237ef144abdc4519991314efef87acfdf89b204e7b2c7686bb8f241f8d10ac1914

Download Submit
\Windows\SysWOW64\Bbokmqie.exe

Filesize
402KB

MD5
25b7a737a4e7e574130e33298730a8be

SHA1
ed7eb6a82e10ddde45da8f33357797eaae25eb24

SHA256
dd0cc0fd96b385adc45b478e505ba6434561cdefa103aaa9abea54c31a3ea34f

SHA512
35bfdcdfc36179094969c213799a912dbc9af50d9a237105ecd6a0e26ca99e78267e71c8be77d0b6ef0ea0e913b2c1b7872d2642f85fdb510e2a82953061a190

Download Submit
\Windows\SysWOW64\Bjlqhoba.exe

Filesize
402KB

MD5
ff18b0d7137896f5315e47f15266ec78

SHA1
c9c83fea2199f431a0e7f18f29f2019a2a170614

SHA256
a0e1b600dec20ef06207070a5690644db068007da7dc763aafb359ce19a15f5f

SHA512
a84bd536d55030ae6fc1cecac5d27587fe44fa64d55076fe6b7bb24c932df7b5c1abc3c91fffc2171c35b6313b0107936e53fb36a4d580f132a64077d2d45292

Download Submit
\Windows\SysWOW64\Caknol32.exe

Filesize
402KB

MD5
879f74c9a9b9392819b65117b2ace8bd

SHA1
8e61b97e980048610d3a8f0ea4ede5d9c7b31128

SHA256
7be79e572c2222950a183a6b1d7db87903eada8f01a4dbe4083ff868d7ca9a4d

SHA512
d69871810f4e493570f8c674b6f977095605f7424c21e0a708519fde0203e3b7eb382cabd7020668065fc5e2926de9a4cdd3309af7767feb58bfbb4f0da6084c

Download Submit
\Windows\SysWOW64\Ckccgane.exe

Filesize
402KB

MD5
f82b341b92ed4d2d8362492c1572e126

SHA1
b38865e05a45085dd9fa38e7202c623f2b4db4af

SHA256
3ebd212905d61be8ac90fa2e87c2ff3047792c08aad40d51c01e1e22518c89bf

SHA512
cb3e4a45b071b27969a011ac176e285b3d5b792bcfdc2a405b55e0832572a32084970620c59792a651aee8d99622b029ec235d59fb9a01bad77256e0885707b4

Download Submit
\Windows\SysWOW64\Ddgjdk32.exe

Filesize
402KB

MD5
42b1018210cec1866fb728e6dc8efe93

SHA1
5d5ce7b9be397dfa0a7a9e44cbe24c53ef9aae7e

SHA256
a5113bcaa64adb5de7a8b5d127acfc06046ff830901147221c14ea7d35fc2235

SHA512
c610e914bef9c87d01420f629cfab867fb18c8f6f1f4b7d8a62b3eaf2075a59adef4294e59934c6e276fd727b89dc695c6cc1ea0528ffb3c3a926024a4f056f2

Download Submit
\Windows\SysWOW64\Dggcffhg.exe

Filesize
402KB

MD5
2f1cd2fff90fee4b3914a5d18be946be

SHA1
e6110d614d6300a23991b229d8546a0846d7ec20

SHA256
e4854d1399b1a2ba80101d5b35c097b6f277fa2276fc03983184606a5b133fef

SHA512
f302ed77ef0ca766b6c8080300366d2150411ccec51041483c9bfd754dbe6f4d6919b957b2b689a4fe94e287fa74ac12e47b09c8d5990ccc422fe3a952bf8c19

Download Submit
\Windows\SysWOW64\Enhacojl.exe

Filesize
402KB

MD5
d47917874017729a5f896ad9ac958b9c

SHA1
b10557dafca62f031ff60ca9d22a49afeee20594

SHA256
8e5f9992bdca5705b3e10ce3b3f52cff7a0d1183ba41d75f8c7911e39185c25c

SHA512
5ad1334d62e5c9d6c404a003b208d3cc25ba660bffd6d8129a2ab2caefc8979b9681ba4ef77a760ff5adb6a4ce837932658ecfc287ef6e06f67d574dbc697524

Download Submit
\Windows\SysWOW64\Fbopgb32.exe

Filesize
402KB

MD5
bdb7865ab36ba35c43343709abac0b19

SHA1
37285dd5ad748b05020c0d40c81590d3b29a2ed7

SHA256
8fd0ecb8a79dd250940397a1d4e327c3440d2edccfa67587093e3e88196991fe

SHA512
5dcf45a7c0d89ee825503d47ddf591661b22f23975115f370778e45b78962a3a0b52fe9d464ce049d844cfa27754d40b87d36b2a1ae14bf77c855f9f3a5e7757

Download Submit
\Windows\SysWOW64\Gdniqh32.exe

Filesize
402KB

MD5
b7842b4c73a688f3b8cae7f2863e308b

SHA1
dadd377fd58b735432744d20d5ccca22b12c8c15

SHA256
9c1d898edb3e1c9ed6388881ac4d657c2c4a46c8228d2c3595c1ae34d876a3b9

SHA512
f6cac404d295925be73523db6deec1e847ac526b95cba7dbd6ea00fa551a6ae2a30fba4848c317c346f6a5df00dbfc127747b79413effdb911abb15145940609

Download Submit
\Windows\SysWOW64\Igakgfpn.exe

Filesize
402KB

MD5
71b8c2732d8d20b3de302c243f3e3fae

SHA1
f705ca92ff44a1e05df6535e2007bf1628c3db24

SHA256
bf4cedb719eaf8fc1457128816590477a0ee6e28f4a355120bb74a880e107f2a

SHA512
0ca1f5f880e53de4c53f2b9886d99ad3b9c7a154bf53f9b9e7c3f264ccb38e26f503f05e91c5dae3dc754bae8c7d9bde86909f746ed41bcd0b943f8aaec5d6dd

Download Submit
\Windows\SysWOW64\Ikkjbe32.exe

Filesize
402KB

MD5
0ecacda99d0ce37f67120afbb41edb4b

SHA1
398893e8c9dcbe4741a1435886b5da94b322083d

SHA256
98b2176f9a3630746cbf7c7c604f6707197ad5092811b7fe2c70062712aa4162

SHA512
0e15b879ae227bed22fdb202519c5600e10778b084c1721a8d581f100e46862e00d270330a0596acf64f5aedf5f4dae2427e781f8636fe997ae1996d5e46c30d

Download Submit
\Windows\SysWOW64\Ileiplhn.exe

Filesize
402KB

MD5
f23dade7d6afe1bc296b0f652be42dd6

SHA1
7863498b2b65514a60352407987f7dbe17ae19a5

SHA256
7d331a41e63b2c296e5cf3579dc3dd34f629cc2595803ee11d021ed9c4c05a1c

SHA512
f68fb9a9732d4985c1d1b8d325e32d377a277246e72418e2377b89c0e69806bbd30fffb51849ea1d1999c7442cb439de1bdc46eece8c9175a95d526cd63eeb52

Download Submit
\Windows\SysWOW64\Jjbpgd32.exe

Filesize
402KB

MD5
8c566d94bb7d53304a1b3effe6d30bc8

SHA1
55bcb4a1bc68d77b3ab99fa923b8b724c93ab008

SHA256
4e5826168275ec47541d28bace6e1e5cedc0e1d5d2941fc896b3a2614ec5057c

SHA512
2f901fb5d7802d001b70e191c78b3faa9f2ee711d23b44928eb08646569b774641f18216b8b4d9c0e40e9ae54a35262cdbde21afa594b7c6dc3bc1538f20d4ff

Download Submit
memory/580-156-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/580-160-0x0000000000280000-0x000000000030C000-memory.dmp

Filesize
560KB

Download
memory/580-161-0x0000000000280000-0x000000000030C000-memory.dmp

Filesize
560KB

Download
memory/984-284-0x0000000000490000-0x000000000051C000-memory.dmp

Filesize
560KB

Download
memory/984-278-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/984-285-0x0000000000490000-0x000000000051C000-memory.dmp

Filesize
560KB

Download
memory/1012-171-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1012-174-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/1012-182-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/1064-246-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/1064-249-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/1064-241-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1756-342-0x00000000002F0000-0x000000000037C000-memory.dmp

Filesize
560KB

Download
memory/1756-347-0x00000000002F0000-0x000000000037C000-memory.dmp

Filesize
560KB

Download
memory/1756-327-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1764-189-0x0000000000500000-0x000000000058C000-memory.dmp

Filesize
560KB

Download
memory/1764-194-0x0000000000500000-0x000000000058C000-memory.dmp

Filesize
560KB

Download
memory/1764-180-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1880-262-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1880-273-0x0000000000340000-0x00000000003CC000-memory.dmp

Filesize
560KB

Download
memory/1880-272-0x0000000000340000-0x00000000003CC000-memory.dmp

Filesize
560KB

Download
memory/1944-216-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/1944-230-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/1944-223-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2004-155-0x0000000000490000-0x000000000051C000-memory.dmp

Filesize
560KB

Download
memory/2004-141-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2004-149-0x0000000000490000-0x000000000051C000-memory.dmp

Filesize
560KB

Download
memory/2176-326-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2176-329-0x0000000001D00000-0x0000000001D8C000-memory.dmp

Filesize
560KB

Download
memory/2176-328-0x0000000001D00000-0x0000000001D8C000-memory.dmp

Filesize
560KB

Download
memory/2180-307-0x0000000001C60000-0x0000000001CEC000-memory.dmp

Filesize
560KB

Download
memory/2180-305-0x0000000001C60000-0x0000000001CEC000-memory.dmp

Filesize
560KB

Download
memory/2180-300-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2368-235-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2368-240-0x0000000000320000-0x00000000003AC000-memory.dmp

Filesize
560KB

Download
memory/2372-53-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2372-71-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2392-209-0x0000000000490000-0x000000000051C000-memory.dmp

Filesize
560KB

Download
memory/2392-196-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2392-215-0x0000000000490000-0x000000000051C000-memory.dmp

Filesize
560KB

Download
memory/2404-254-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2404-252-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2404-258-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2412-283-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2412-290-0x00000000002B0000-0x000000000033C000-memory.dmp

Filesize
560KB

Download
memory/2412-295-0x00000000002B0000-0x000000000033C000-memory.dmp

Filesize
560KB

Download
memory/2416-126-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2416-139-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2416-140-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2492-80-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2492-93-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2528-325-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2528-306-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2528-317-0x0000000000220000-0x00000000002AC000-memory.dmp

Filesize
560KB

Download
memory/2532-111-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2532-119-0x00000000002A0000-0x000000000032C000-memory.dmp

Filesize
560KB

Download
memory/2532-125-0x00000000002A0000-0x000000000032C000-memory.dmp

Filesize
560KB

Download
memory/2568-40-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2580-72-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2736-32-0x0000000000230000-0x00000000002BC000-memory.dmp

Filesize
560KB

Download
memory/2736-23-0x0000000000230000-0x00000000002BC000-memory.dmp

Filesize
560KB

Download
memory/2736-13-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2908-0-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/2908-6-0x00000000002A0000-0x000000000032C000-memory.dmp

Filesize
560KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads