75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-04-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Size

304KB
MD5

06304306b33795315e48a4530158f2a7
SHA1

64446ab24d7728a2cc285f1cc749d172c207e75b
SHA256

75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6
SHA512

4c2509dd3e91c5dad6ab8fd42ce54cde96315d458a236932cf4b6284a3afe1726ace214282ee64d6e8356b1e6f2ad33c5053b32759f44c3f309e1e8e2d5e2588
SSDEEP

3072:cnyQHiQW74FeGeDM1IRwMkUIunCaRdelrOyX6gu+tAcrbFAJc+RsUi1aVDkOvhJN:cyaarMNxunXe8yhrtMsQBvli+RQFdq

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Epdkli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epdkli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Efppoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eeempocb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eeempocb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hjjddchg.exe

Executes dropped EXE 26 IoCs

pid	Process
2360	Eqonkmdh.exe
1376	Epdkli32.exe
2572	Emhlfmgj.exe
2644	Efppoc32.exe
2432	Eeempocb.exe
2440	Egdilkbf.exe
1212	Flabbihl.exe
2764	Ffkcbgek.exe
2880	Fhkpmjln.exe
1976	Fmhheqje.exe
1900	Fbgmbg32.exe
2884	Gpknlk32.exe
2332	Gicbeald.exe
2216	Gldkfl32.exe
868	Gacpdbej.exe
1444	Gogangdc.exe
1108	Hahjpbad.exe
1452	Hgdbhi32.exe
3028	Hlakpp32.exe
1936	Hiekid32.exe
3044	Hcnpbi32.exe
1560	Hlfdkoin.exe
2296	Hjjddchg.exe
1940	Iaeiieeb.exe
652	Ilknfn32.exe
2136	Iagfoe32.exe

Loads dropped DLL 56 IoCs

pid	Process
2012	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
2012	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
2360	Eqonkmdh.exe
2360	Eqonkmdh.exe
1376	Epdkli32.exe
1376	Epdkli32.exe
2572	Emhlfmgj.exe
2572	Emhlfmgj.exe
2644	Efppoc32.exe
2644	Efppoc32.exe
2432	Eeempocb.exe
2432	Eeempocb.exe
2440	Egdilkbf.exe
2440	Egdilkbf.exe
1212	Flabbihl.exe
1212	Flabbihl.exe
2764	Ffkcbgek.exe
2764	Ffkcbgek.exe
2880	Fhkpmjln.exe
2880	Fhkpmjln.exe
1976	Fmhheqje.exe
1976	Fmhheqje.exe
1900	Fbgmbg32.exe
1900	Fbgmbg32.exe
2884	Gpknlk32.exe
2884	Gpknlk32.exe
2332	Gicbeald.exe
2332	Gicbeald.exe
2216	Gldkfl32.exe
2216	Gldkfl32.exe
868	Gacpdbej.exe
868	Gacpdbej.exe
1444	Gogangdc.exe
1444	Gogangdc.exe
1108	Hahjpbad.exe
1108	Hahjpbad.exe
1452	Hgdbhi32.exe
1452	Hgdbhi32.exe
3028	Hlakpp32.exe
3028	Hlakpp32.exe
1936	Hiekid32.exe
1936	Hiekid32.exe
3044	Hcnpbi32.exe
3044	Hcnpbi32.exe
1560	Hlfdkoin.exe
1560	Hlfdkoin.exe
2296	Hjjddchg.exe
2296	Hjjddchg.exe
1940	Iaeiieeb.exe
1940	Iaeiieeb.exe
652	Ilknfn32.exe
652	Ilknfn32.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe
2192	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kleiio32.dll	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Eqonkmdh.exe	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
File created	C:\Windows\SysWOW64\Glpjaf32.dll	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Ffkcbgek.exe	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Emhlfmgj.exe	Epdkli32.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Epdkli32.exe
File opened for modification	C:\Windows\SysWOW64\Egdilkbf.exe	Eeempocb.exe
File created	C:\Windows\SysWOW64\Midahn32.dll	Eeempocb.exe
File created	C:\Windows\SysWOW64\Flabbihl.exe	Egdilkbf.exe
File opened for modification	C:\Windows\SysWOW64\Ffkcbgek.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Ffkcbgek.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Hahjpbad.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Emhlfmgj.exe	Epdkli32.exe
File created	C:\Windows\SysWOW64\Bfekgp32.dll	Fmhheqje.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Efppoc32.exe	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Eeempocb.exe	Efppoc32.exe
File created	C:\Windows\SysWOW64\Lonkjenl.dll	Efppoc32.exe
File created	C:\Windows\SysWOW64\Kdanej32.dll	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Ffkcbgek.exe
File opened for modification	C:\Windows\SysWOW64\Epdkli32.exe	Eqonkmdh.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hgdbhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gicbeald.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hiekid32.exe
File created	C:\Windows\SysWOW64\Gbolehjh.dll	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hgdbhi32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hgdbhi32.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Flabbihl.exe	Egdilkbf.exe
File created	C:\Windows\SysWOW64\Ajlppdeb.dll	Egdilkbf.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Egdilkbf.exe	Eeempocb.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fbgmbg32.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Eqonkmdh.exe	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
File created	C:\Windows\SysWOW64\Epdkli32.exe	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Hgdbhi32.exe	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2192	2136	WerFault.exe	53

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkajfop.dll"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll"	Egdilkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdanej32.dll"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glpjaf32.dll"	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egdilkbf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hgdbhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Epdkli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbolehjh.dll"	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midahn32.dll"	Eeempocb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Ffkcbgek.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hgdbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lonkjenl.dll"	Efppoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Eeempocb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2360	2012	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	28
PID 2012 wrote to memory of 2360	2012	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	28
PID 2012 wrote to memory of 2360	2012	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	28
PID 2012 wrote to memory of 2360	2012	75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe	28
PID 2360 wrote to memory of 1376	2360	Eqonkmdh.exe	29
PID 2360 wrote to memory of 1376	2360	Eqonkmdh.exe	29
PID 2360 wrote to memory of 1376	2360	Eqonkmdh.exe	29
PID 2360 wrote to memory of 1376	2360	Eqonkmdh.exe	29
PID 1376 wrote to memory of 2572	1376	Epdkli32.exe	30
PID 1376 wrote to memory of 2572	1376	Epdkli32.exe	30
PID 1376 wrote to memory of 2572	1376	Epdkli32.exe	30
PID 1376 wrote to memory of 2572	1376	Epdkli32.exe	30
PID 2572 wrote to memory of 2644	2572	Emhlfmgj.exe	31
PID 2572 wrote to memory of 2644	2572	Emhlfmgj.exe	31
PID 2572 wrote to memory of 2644	2572	Emhlfmgj.exe	31
PID 2572 wrote to memory of 2644	2572	Emhlfmgj.exe	31
PID 2644 wrote to memory of 2432	2644	Efppoc32.exe	32
PID 2644 wrote to memory of 2432	2644	Efppoc32.exe	32
PID 2644 wrote to memory of 2432	2644	Efppoc32.exe	32
PID 2644 wrote to memory of 2432	2644	Efppoc32.exe	32
PID 2432 wrote to memory of 2440	2432	Eeempocb.exe	33
PID 2432 wrote to memory of 2440	2432	Eeempocb.exe	33
PID 2432 wrote to memory of 2440	2432	Eeempocb.exe	33
PID 2432 wrote to memory of 2440	2432	Eeempocb.exe	33
PID 2440 wrote to memory of 1212	2440	Egdilkbf.exe	34
PID 2440 wrote to memory of 1212	2440	Egdilkbf.exe	34
PID 2440 wrote to memory of 1212	2440	Egdilkbf.exe	34
PID 2440 wrote to memory of 1212	2440	Egdilkbf.exe	34
PID 1212 wrote to memory of 2764	1212	Flabbihl.exe	35
PID 1212 wrote to memory of 2764	1212	Flabbihl.exe	35
PID 1212 wrote to memory of 2764	1212	Flabbihl.exe	35
PID 1212 wrote to memory of 2764	1212	Flabbihl.exe	35
PID 2764 wrote to memory of 2880	2764	Ffkcbgek.exe	36
PID 2764 wrote to memory of 2880	2764	Ffkcbgek.exe	36
PID 2764 wrote to memory of 2880	2764	Ffkcbgek.exe	36
PID 2764 wrote to memory of 2880	2764	Ffkcbgek.exe	36
PID 2880 wrote to memory of 1976	2880	Fhkpmjln.exe	37
PID 2880 wrote to memory of 1976	2880	Fhkpmjln.exe	37
PID 2880 wrote to memory of 1976	2880	Fhkpmjln.exe	37
PID 2880 wrote to memory of 1976	2880	Fhkpmjln.exe	37
PID 1976 wrote to memory of 1900	1976	Fmhheqje.exe	38
PID 1976 wrote to memory of 1900	1976	Fmhheqje.exe	38
PID 1976 wrote to memory of 1900	1976	Fmhheqje.exe	38
PID 1976 wrote to memory of 1900	1976	Fmhheqje.exe	38
PID 1900 wrote to memory of 2884	1900	Fbgmbg32.exe	39
PID 1900 wrote to memory of 2884	1900	Fbgmbg32.exe	39
PID 1900 wrote to memory of 2884	1900	Fbgmbg32.exe	39
PID 1900 wrote to memory of 2884	1900	Fbgmbg32.exe	39
PID 2884 wrote to memory of 2332	2884	Gpknlk32.exe	40
PID 2884 wrote to memory of 2332	2884	Gpknlk32.exe	40
PID 2884 wrote to memory of 2332	2884	Gpknlk32.exe	40
PID 2884 wrote to memory of 2332	2884	Gpknlk32.exe	40
PID 2332 wrote to memory of 2216	2332	Gicbeald.exe	41
PID 2332 wrote to memory of 2216	2332	Gicbeald.exe	41
PID 2332 wrote to memory of 2216	2332	Gicbeald.exe	41
PID 2332 wrote to memory of 2216	2332	Gicbeald.exe	41
PID 2216 wrote to memory of 868	2216	Gldkfl32.exe	42
PID 2216 wrote to memory of 868	2216	Gldkfl32.exe	42
PID 2216 wrote to memory of 868	2216	Gldkfl32.exe	42
PID 2216 wrote to memory of 868	2216	Gldkfl32.exe	42
PID 868 wrote to memory of 1444	868	Gacpdbej.exe	43
PID 868 wrote to memory of 1444	868	Gacpdbej.exe	43
PID 868 wrote to memory of 1444	868	Gacpdbej.exe	43
PID 868 wrote to memory of 1444	868	Gacpdbej.exe	43

C:\Users\Admin\AppData\Local\Temp\75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe
"C:\Users\Admin\AppData\Local\Temp\75c56e48e9799244e81d2a0d99bedea6a1899ad684889c02b258da9a480b46d6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\SysWOW64\Eqonkmdh.exe
  C:\Windows\system32\Eqonkmdh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\Epdkli32.exe
    C:\Windows\system32\Epdkli32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\SysWOW64\Emhlfmgj.exe
      C:\Windows\system32\Emhlfmgj.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Efppoc32.exe
        
        C:\Windows\system32\Efppoc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2644
      - C:\Windows\SysWOW64\Eeempocb.exe
        
        C:\Windows\system32\Eeempocb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Egdilkbf.exe
        
        C:\Windows\system32\Egdilkbf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Flabbihl.exe
        
        C:\Windows\system32\Flabbihl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1212
        
        C:\Windows\SysWOW64\Ffkcbgek.exe
        
        C:\Windows\system32\Ffkcbgek.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Fmhheqje.exe
        
        C:\Windows\system32\Fmhheqje.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Gldkfl32.exe
        
        C:\Windows\system32\Gldkfl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Hahjpbad.exe
        
        C:\Windows\system32\Hahjpbad.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Hgdbhi32.exe
        
        C:\Windows\system32\Hgdbhi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3028
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1936
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:652
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        27⤵
        Executes dropped EXE
        
        PID:2136
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2136 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Eeempocb.exe

Filesize
304KB

MD5
5225cae8f1127954574c6c9e12ec1e46

SHA1
6a1fef6fe1d4ea503bdc3f0fbbdd01a641047da5

SHA256
76bd56efcf4b04906ae8188abec2b2e12386c02d6962069c90474da224f7d3d4

SHA512
785c84a6adf8237f3ff607501fb810ec77a9aebd483ba61156202d8d9a5f3443914597d42349e6072c87a490d4d67a7370c464399e58e67e0dc9ee83c61c2664

Download Submit
C:\Windows\SysWOW64\Egdilkbf.exe

Filesize
304KB

MD5
cc82a6485bd1672075f3570c2f8d67cd

SHA1
45a3a9a74d0a63b0ed7ebdc208be3fe1514a2d98

SHA256
6feffe05b526ad314fb2fce9efcf64691875628773077ffe4a87d2c211a9ff4c

SHA512
63b3802bfa7f8821b7a6daff89fc8cbde97f808f9227311b88fd0c98a40604851820a6e475dd8714560e3fd264a2e2430ee548979a420538e101c398d0b5281e

Download Submit
C:\Windows\SysWOW64\Emhlfmgj.exe

Filesize
304KB

MD5
bb112bb6a91113a93ad05e849f4ab2ce

SHA1
0c4ee9cb3873edd46a063d73203b4594c43b95fe

SHA256
20624626317d9019727cfbaff3fe9ffe421d902e8a3502bda34ca55c5f6fba86

SHA512
25b558d8bd7ffdffe507e275a4e2e199068905284a45fe7144ceb2f8346e4eb8a51e0dec3df0bc2161c392b51628a0e598040bdf458a6cf1ee241629ca869aa3

Download Submit
C:\Windows\SysWOW64\Ffkcbgek.exe

Filesize
304KB

MD5
beb4d4a1ff57e984976db954f48262e5

SHA1
0390f14316f5b51c661b77039c32772f10c73799

SHA256
c94b0723e80e7c795d09e2de51dcb01d0aab7647e5dbadc364b4b8240d7bbed7

SHA512
f68109dadc1059ea4b40eab9d7bc1a2aa6b64ff7b3a1de5970c9d234410050d8a7d1e7a42ec49869242d94137d772883066dcb076746d4732cc2a77a678d2341

Download Submit
C:\Windows\SysWOW64\Gldkfl32.exe

Filesize
304KB

MD5
140d16192f88fc1c62ceecd288ba9897

SHA1
d47305faaf3e6ebf1bbd5c7af495d5507a3a1a77

SHA256
265580d6364bb25304159acbcba1f2d46f007a8c7dd0edbec8ecfeb489f54e9c

SHA512
9069646f6dd0ab35718d986a4c5111377e040d03c68ac8e17cde5524ef9932ae7b6f78fbfbf667da1bce5e7c0577d7d24d72a5745e87d41fd7c549757719a43f

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
304KB

MD5
888da6fab7add3dac714b54e644f01f6

SHA1
58236fb3a5a76650236a3bcbb66a1fe3dcf65be5

SHA256
71be0135e833b311de4349c6f179763e3db16b327451a4e95fab70cce2dccc6b

SHA512
702930d4fb13c6aeb9845f71950bccc096e7a96558961d727570bd135a75619dd22af32584b3c1cf413eff510292524ca03a43c1925bfe5f2f8d67e9b24a7c52

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe

Filesize
304KB

MD5
53f43c2f3131a583eac7ac39d28c29ee

SHA1
3e7220aacdf2a35277e6b0ecbc60f31715f104c5

SHA256
9509d197bc78957dabfb72128e2dde08c2910e7b41025e9b274ce69debf70fe5

SHA512
25b3cd00eb24f9608cc782015f64772fa74daafce6201b08345e4327027d94b72933f659268f98cdcc8c54002033dc2c112e7f739ad0022d45e986f27dac5dfa

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
304KB

MD5
4a854cc8ca6e8b8a70a52944e5322aec

SHA1
3fc697c6308020fd461897c72e6825b108f84c24

SHA256
e723100e98409df93a21528b0aebd4919ec5d57657cf49987be6e978b6da8a44

SHA512
580cd993a1fbd4bfc4c68fe94a300f373c55fe69b08d35c94b4c10dd8ec25fdb1471015938544a2f0203139263b1dacaec8ebd69851455bd9597607a9c4c0136

Download Submit
C:\Windows\SysWOW64\Hgdbhi32.exe

Filesize
304KB

MD5
c5748c2854d20dbdb9effb20ca3626fc

SHA1
f08b6afdcd055a62cfb799e9b844c37c196b8599

SHA256
586ddec25abbf6c6a1672f2c199a0ad5f2a2611c89c10c6399284ddbeaf8e994

SHA512
1511de6688d86f9f72f2ee63678cf0bdf7e0fd86e659b4e62a21fe5435cb71cc3a9ab444a7be0fd807f5254097405fadb07af02099b5decce53fdb77dbd946d9

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
304KB

MD5
22ecc39f0b93de8b6f426d3eff400d31

SHA1
30afe36fdc6e40f842502f371d7231f8d18d0eb0

SHA256
2b206d7772e9782d064b79c7145355a84c55783224078123dce294e0282c99c7

SHA512
61e7a401d26af4f24590c0a16dfe58a5e09ef6d9e310e2cc045c3960dc7162868e18ea33cb1de8aabf11f609fc2a50317ca2729ca5a7ac7bb797f06e6f10a5cc

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
304KB

MD5
82dc6e024557b1c5fd23726efe0f6307

SHA1
c64d6906874593702ddda07d4e1912f4e2ec3098

SHA256
733cc031aa1c23687be6506e72158a2bde384d5d245f5a0cb4c533d05d4232d7

SHA512
01da5ec5c098307201bfb429199c193aabaabc3f8699d01c5735429875b8368d6582ee59ce02c5f96299691dfa570ba09574d608e1759536e1496d8ed5161095

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe

Filesize
304KB

MD5
00fa442da0eadf8bf5722c668c3182f2

SHA1
ef3d16ed9da7817ceffdf1ffbb9084e0f1ec2e23

SHA256
bd0247706b59889782da528f1d71091693de91d7b171f98e4d09a9eab54f12a8

SHA512
553c26873c0f507a0c1ba1d2d6a632c5f34ce45a6967e9e8f453b58c7bf93314ca9d77f4307cadd7c975c870702dd070053e24d1030294b4cd28815087cd6f6d

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
304KB

MD5
d574ecf01f03f87dc2aa18dd05c576da

SHA1
8f5fb5cfca1a39c17ec879f9cccbc6125072f3ef

SHA256
f057edb8aaa8f7d62686c536e064fe6d62426322d6ee395b8cfb5da83662add2

SHA512
195d41ca88a45bf9d0beac6b05ce14a16e2d9659fd5090f0cf0165629da857cfc0453c7b3d575b6c3d59cab172dfe7fcf07cbb3b6022ffea88e17f13bddc60fd

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
304KB

MD5
785bba7cb2212cb7777853871224c0f2

SHA1
a0b73dd269da39d8208cbc289d52ebefb90a7b20

SHA256
65588211faad6fdf195a9cd787c6a4d7092ceb9e497a3022f4651ed86801bab2

SHA512
e3f794d473110b93445ae63e35ea5167093554062c910323e92db6045680d8855d9005d59c3781105d618bf49b99c0aa0d79ed78bd92f4391364fbc8d0576289

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
304KB

MD5
37fd373ed427a73626bb670379658fc3

SHA1
8239c782f6f14e0e84d24787d1f700c6a371e03e

SHA256
88a4a690f5f1736916a5b81df5cd6686ea1cb0363b3e094296fe9d53fb84a6d8

SHA512
ba39be455a3e65337ae26efdb38f9334f3900e34ce64975456531dafb976d580abff8fde49ac318058511ba7fa30c21f5422bfa7cabb037e895f301ec1625b26

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe

Filesize
304KB

MD5
2ac9edb184dbf6788d1fa786a0dd0e33

SHA1
92d2b62339142ab8d8ff7a2882eb3c8ad1f03d81

SHA256
729233450c92d9940dbdbbe61a5de7a1d53b7b79ee37eb2c119a111502d062f2

SHA512
a28474c7ba8ee3086d187d89cff95f6181a7751340f49f6e86013b84d1e1b31ee27eee8e25902602a706c8e47336a6ad6b8dba1258b8f6eafb2992a547698002

Download Submit
C:\Windows\SysWOW64\Lonkjenl.dll

Filesize
7KB

MD5
2ef99d58ceaaa1c00c1169fefe8e74c8

SHA1
5cd438359c924ab855398bdddceae58e62c3d631

SHA256
717065c23d077a891440f4a09a286e442220c7b63ad958189e55c4172573430d

SHA512
5da870fcd232a0b169238b78cbd87080dc06a7ced4b10dadd11e13e7a1d1543a2b01e65b64361de75aececf4b716bee7c2442e5a633df400fd1789439863b27d

Download Submit
\Windows\SysWOW64\Efppoc32.exe

Filesize
304KB

MD5
bd528dc67f3932a50990f634c59fde7a

SHA1
46bd69f6e3c0e82f06ddfa7efd60722741613326

SHA256
004dd3080b466ccaa926cf860b0d911c6e812c268f7aebd8b22829eee941bf83

SHA512
1f453391438ad7bc0066ff4479db4a15112a94552c03b7f5191ae140d49cdc73e486cbd5d5b59f18f9c1ac6c4820e51a697cdba6824cc75dd5ce80890cde996d

Download Submit
\Windows\SysWOW64\Epdkli32.exe

Filesize
304KB

MD5
96e536c7a8e72c01ae56c2032caa8c92

SHA1
0f19d7084120b230fc3be75189e509519ac33c18

SHA256
9aa64e82f7da4dd4c4c4e2ea5ffec8c4d4e61a8e8ee1f0e660337690c7fe6fb9

SHA512
34cdcb3eede6f44731fd9e2e548736aa2ecbb1e1fb9dffd6d9af8a4f46bec4b10981494bbb9458512615ef8c4e059659795eb7de5cba2590b96036f18320e8f3

Download Submit
\Windows\SysWOW64\Eqonkmdh.exe

Filesize
304KB

MD5
a1aa02d5199fa43513d6cf739fceca07

SHA1
e107ec7bb13de48d0598d6872d2f067def21c12a

SHA256
a9dcb090c7e06ca9ad9db3ae1e4dfceb808d7d2064c6fba41589f8806d8da3fc

SHA512
71c6aec991d4e7ee2d1bde7e072578e9ab8174f8049ed9f316b0e9cba048bd3d3d2bbb790b3aaf7f569560bd6529f98f5b885e0959034c2ea967908e36f91393

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
304KB

MD5
34da0c99f843f0e26b5d3a8aa389b253

SHA1
cdaba43a7bf68e402e2165fe1b103bc1618ac32c

SHA256
f63421c4cd0f7331a29ea0c2393bc77e0422e9a0a4534aa30a393585d17ae619

SHA512
2143e18503422a12d5a3dc245fb0494e413a4161b0a36adbddb8d79dea103cd25690e3b7fdeb4a32614b37e150ca87740612c98ea46f1e7b9ab09c2dd4c4385d

Download Submit
\Windows\SysWOW64\Fhkpmjln.exe

Filesize
304KB

MD5
d9717c2e81a2532be8b5e5f4b8405415

SHA1
0bc7d11a13942288743b85e491691ffe1eedc04b

SHA256
a230666e9bab45499a6cd8d124cf25cc03a963ad09dba1ce343fe9a069c68358

SHA512
6fef1ed4104b47f6b297bdd3566cd7937d541882683f27d991b89334513d866c3a7eb96fb823fddaddb1dadc0387852ccfe1484d7eba2b8423a74542485a95b4

Download Submit
\Windows\SysWOW64\Flabbihl.exe

Filesize
304KB

MD5
adefdedfa0507d3c3998c0bd23cb1461

SHA1
b6423de0304c31314d5bba8e0e406f5e6ec42faf

SHA256
6b39f060a3162cc256a5b6b348df9433db769996855cc01515e13082ce7852cf

SHA512
09bde0078c9dad0a0a123234a19623def6f7bfa4612602835b1c8b77d76233a52e9bf526c8879d72cf5e4c00149211fa62103f3fdbb1f36ca49a9165a27ce23c

Download Submit
\Windows\SysWOW64\Fmhheqje.exe

Filesize
304KB

MD5
abe764c9e64543acb5a156da8aef0ead

SHA1
770c5479d93fdad6d723cac8ba3b924f7ac80650

SHA256
676b34f1e621a8b6e3b70b6e7f42d1654538db7f71f1d8d224cdeed5719afdaa

SHA512
b58d33ef646a198da0aa5064ba388d74d07bf2f790747f7adeff11ce59eae1415c7020e3d29b889d087b399bb154d779a8a23a5845d58ddb79dc04dffe6084f3

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
304KB

MD5
b1fe672b5334867f331d2a8104429787

SHA1
43e102d0fff9585e3e24d7dde15d980c474d56c0

SHA256
dff926ac9f4e68b457488955fe18ce9aedf1c8d736bd402e50075ad33646ba00

SHA512
650b57967072980334ca4479a5e68a3a5e4a4599e22abc2c6f384e9a0be50bbfa5c8b33021e244e8ccc78dd1be47e3086da72d4f0a540eec3698989c5af93a5c

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
304KB

MD5
15e0bf01037be2ebdaded96e13b3f22a

SHA1
441fc6a368eaf13b547dd66965d171b386146dd1

SHA256
e326f3b79ae8d6da5c02605803411d0d2e88002b78996bdb0aaf2becdcab8ea2

SHA512
520cfb778672db661ea53addcc1dd0b14a9854f199dad4b4b502e53b7745890ca7428666525d09729878a380cf5f8954331a39e2dcaf597c31559b2e3cc90887

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
304KB

MD5
b9209ca308c32837f1c0e3d0983729ea

SHA1
8158e85feb3d2b595e30235c2d52c913a47668d3

SHA256
75ff733d017d380516958528fed5dd3ec1acfd2f2ea33ec7d38e26da37641be5

SHA512
63232763068c1796fa4e916578c72d6bf8a1e26f1a98c87ee83751af946c85b0ff68128bb1203c2536c2b17cd1e7e41e87b72542bbe8dc425bd62a12650c0a11

Download Submit
memory/652-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/652-323-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/652-325-0x0000000000260000-0x00000000002A3000-memory.dmp

Filesize
268KB

Download
memory/868-213-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/868-220-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/1108-235-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1108-241-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/1108-230-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-118-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/1212-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1212-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-38-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1444-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1452-240-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1452-251-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1452-246-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1560-289-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1560-291-0x00000000002F0000-0x0000000000333000-memory.dmp

Filesize
268KB

Download
memory/1560-279-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1560-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-164-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-273-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1936-268-0x0000000000310000-0x0000000000353000-memory.dmp

Filesize
268KB

Download
memory/1940-316-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1940-307-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1940-318-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/1976-138-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1976-145-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2012-6-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/2012-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2012-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2136-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2216-200-0x0000000000290000-0x00000000002D3000-memory.dmp

Filesize
268KB

Download
memory/2296-296-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2296-306-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2296-301-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2332-186-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/2332-193-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2360-25-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2360-31-0x0000000000300000-0x0000000000343000-memory.dmp

Filesize
268KB

Download
memory/2432-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2432-67-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-87-0x0000000000250000-0x0000000000293000-memory.dmp

Filesize
268KB

Download
memory/2440-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2572-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-53-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2644-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2764-126-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2880-131-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2884-172-0x00000000002D0000-0x0000000000313000-memory.dmp

Filesize
268KB

Download
memory/3028-253-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3028-263-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/3028-261-0x0000000000280000-0x00000000002C3000-memory.dmp

Filesize
268KB

Download
memory/3044-275-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3044-284-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download
memory/3044-285-0x0000000000450000-0x0000000000493000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads