193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca

Analysis

max time kernel
142s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Size

370KB
MD5

b118c524f32231155bd15d3766f20f68
SHA1

81e56ee40df7c977911e9a5497a415e3fd597a56
SHA256

193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca
SHA512

f5e80aa769236247c2fe8ac14e73258c9eae479cd273302f5a9886cf85b278e93294335b9ac5c8265238d0e49ab7b36511f2d6627dc2bb4f00754dc2087df7f4
SSDEEP

6144:BICUtQ0p3KYpNyGpNDU9fwRE5H2dpNonHd/twMLc2Ao2pEYTBFqZNjE1rhJg3htD:yCUtQ0poqUfCyHJWx67fLx67

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 58 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqdpgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omopjcjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eklajcmc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eghkjdoa.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhdcmp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jhkbdmbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iimcma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhnhajba.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amikgpcc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dckoia32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbbicl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jaonbc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iimcma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqbala32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obgohklm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddnobj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnpphljo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe

Executes dropped EXE 29 IoCs

pid	Process
2040	Cgnomg32.exe
4300	Ddnobj32.exe
2656	Eqdpgk32.exe
764	Eklajcmc.exe
2472	Eghkjdoa.exe
4672	Fbbicl32.exe
3916	Gnpphljo.exe
4064	Gbpedjnb.exe
940	Hhdcmp32.exe
4760	Iimcma32.exe
3224	Jaonbc32.exe
824	Jhkbdmbg.exe
3880	Klpakj32.exe
4488	Lhnhajba.exe
3688	Nfihbk32.exe
4988	Nbphglbe.exe
2756	Obgohklm.exe
4748	Omopjcjp.exe
4776	Pqbala32.exe
364	Pplhhm32.exe
4680	Amikgpcc.exe
3828	Afhfaddk.exe
4552	Cdjblf32.exe
1712	Dgbanq32.exe
4360	Dckoia32.exe
4668	Edaaccbj.exe
1036	Eddnic32.exe
4256	Fgiaemic.exe
4492	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Defgao32.dll	Pplhhm32.exe
File opened for modification	C:\Windows\SysWOW64\Eddnic32.exe	Edaaccbj.exe
File created	C:\Windows\SysWOW64\Iimcma32.exe	Hhdcmp32.exe
File opened for modification	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jaonbc32.exe
File opened for modification	C:\Windows\SysWOW64\Nfihbk32.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Blcnqjjo.dll	Pqbala32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Cjeejn32.dll	Dckoia32.exe
File created	C:\Windows\SysWOW64\Lhkdqh32.dll	Iimcma32.exe
File created	C:\Windows\SysWOW64\Mnjenfjo.dll	Obgohklm.exe
File opened for modification	C:\Windows\SysWOW64\Gbpedjnb.exe	Gnpphljo.exe
File created	C:\Windows\SysWOW64\Ablmdkdf.dll	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Nbphglbe.exe	Nfihbk32.exe
File opened for modification	C:\Windows\SysWOW64\Nbphglbe.exe	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Pqolaipg.dll	Nbphglbe.exe
File opened for modification	C:\Windows\SysWOW64\Amikgpcc.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Eqdpgk32.exe	Ddnobj32.exe
File created	C:\Windows\SysWOW64\Eklajcmc.exe	Eqdpgk32.exe
File created	C:\Windows\SysWOW64\Eghkjdoa.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Coffgmig.dll	Gnpphljo.exe
File created	C:\Windows\SysWOW64\Mcgckb32.dll	Hhdcmp32.exe
File created	C:\Windows\SysWOW64\Pqbala32.exe	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Dckoia32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Npdhdlin.dll	Eqdpgk32.exe
File opened for modification	C:\Windows\SysWOW64\Hhdcmp32.exe	Gbpedjnb.exe
File created	C:\Windows\SysWOW64\Klpakj32.exe	Jhkbdmbg.exe
File opened for modification	C:\Windows\SysWOW64\Klpakj32.exe	Jhkbdmbg.exe
File created	C:\Windows\SysWOW64\Foniaq32.dll	Klpakj32.exe
File created	C:\Windows\SysWOW64\Lnpckhnk.dll	Nfihbk32.exe
File created	C:\Windows\SysWOW64\Nlkppnab.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Fgiaemic.exe	Eddnic32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
File created	C:\Windows\SysWOW64\Clmipm32.dll	Ddnobj32.exe
File created	C:\Windows\SysWOW64\Kofljo32.dll	Lhnhajba.exe
File opened for modification	C:\Windows\SysWOW64\Obgohklm.exe	Nbphglbe.exe
File created	C:\Windows\SysWOW64\Omopjcjp.exe	Obgohklm.exe
File created	C:\Windows\SysWOW64\Efehkimj.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Afhfaddk.exe	Amikgpcc.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Eqdpgk32.exe	Ddnobj32.exe
File created	C:\Windows\SysWOW64\Jhkbdmbg.exe	Jaonbc32.exe
File created	C:\Windows\SysWOW64\Nfihbk32.exe	Lhnhajba.exe
File created	C:\Windows\SysWOW64\Hpkdfd32.dll	Omopjcjp.exe
File opened for modification	C:\Windows\SysWOW64\Edaaccbj.exe	Dckoia32.exe
File opened for modification	C:\Windows\SysWOW64\Gnpphljo.exe	Fbbicl32.exe
File created	C:\Windows\SysWOW64\Inclga32.dll	Gbpedjnb.exe
File opened for modification	C:\Windows\SysWOW64\Pplhhm32.exe	Pqbala32.exe
File created	C:\Windows\SysWOW64\Dckoia32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Ddnobj32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Emamkgpg.dll	Eklajcmc.exe
File opened for modification	C:\Windows\SysWOW64\Fbbicl32.exe	Eghkjdoa.exe
File created	C:\Windows\SysWOW64\Obgohklm.exe	Nbphglbe.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Afhfaddk.exe
File opened for modification	C:\Windows\SysWOW64\Fgiaemic.exe	Eddnic32.exe
File opened for modification	C:\Windows\SysWOW64\Ddnobj32.exe	Cgnomg32.exe
File opened for modification	C:\Windows\SysWOW64\Eghkjdoa.exe	Eklajcmc.exe
File created	C:\Windows\SysWOW64\Gbpedjnb.exe	Gnpphljo.exe
File created	C:\Windows\SysWOW64\Amikgpcc.exe	Pplhhm32.exe
File created	C:\Windows\SysWOW64\Qgdcdg32.dll	Amikgpcc.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
File opened for modification	C:\Windows\SysWOW64\Eklajcmc.exe	Eqdpgk32.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3188	4492	WerFault.exe	118
2880	4492	WerFault.exe	118

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inclga32.dll"	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofljo32.dll"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll"	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqbala32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgdcdg32.dll"	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gnpphljo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohlemeao.dll"	Jaonbc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll"	Edaaccbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqbala32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amikgpcc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eddnic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpdeo32.dll"	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Klpakj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbphglbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jhkbdmbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efehkimj.dll"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbbicl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbpedjnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbpedjnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdhdlin.dll"	Eqdpgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbmonhi.dll"	Eghkjdoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhnhajba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Obgohklm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Defgao32.dll"	Pplhhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emamkgpg.dll"	Eklajcmc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Edaaccbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pplhhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmipm32.dll"	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nbphglbe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eddnic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgckb32.dll"	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpckhnk.dll"	Nfihbk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dckoia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhdcmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Klpakj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpkdfd32.dll"	Omopjcjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhfaddk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddnobj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkdqh32.dll"	Iimcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nfihbk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coffgmig.dll"	Gnpphljo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 2040	4292	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe	90
PID 4292 wrote to memory of 2040	4292	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe	90
PID 4292 wrote to memory of 2040	4292	193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe	90
PID 2040 wrote to memory of 4300	2040	Cgnomg32.exe	91
PID 2040 wrote to memory of 4300	2040	Cgnomg32.exe	91
PID 2040 wrote to memory of 4300	2040	Cgnomg32.exe	91
PID 4300 wrote to memory of 2656	4300	Ddnobj32.exe	92
PID 4300 wrote to memory of 2656	4300	Ddnobj32.exe	92
PID 4300 wrote to memory of 2656	4300	Ddnobj32.exe	92
PID 2656 wrote to memory of 764	2656	Eqdpgk32.exe	93
PID 2656 wrote to memory of 764	2656	Eqdpgk32.exe	93
PID 2656 wrote to memory of 764	2656	Eqdpgk32.exe	93
PID 764 wrote to memory of 2472	764	Eklajcmc.exe	94
PID 764 wrote to memory of 2472	764	Eklajcmc.exe	94
PID 764 wrote to memory of 2472	764	Eklajcmc.exe	94
PID 2472 wrote to memory of 4672	2472	Eghkjdoa.exe	95
PID 2472 wrote to memory of 4672	2472	Eghkjdoa.exe	95
PID 2472 wrote to memory of 4672	2472	Eghkjdoa.exe	95
PID 4672 wrote to memory of 3916	4672	Fbbicl32.exe	96
PID 4672 wrote to memory of 3916	4672	Fbbicl32.exe	96
PID 4672 wrote to memory of 3916	4672	Fbbicl32.exe	96
PID 3916 wrote to memory of 4064	3916	Gnpphljo.exe	97
PID 3916 wrote to memory of 4064	3916	Gnpphljo.exe	97
PID 3916 wrote to memory of 4064	3916	Gnpphljo.exe	97
PID 4064 wrote to memory of 940	4064	Gbpedjnb.exe	98
PID 4064 wrote to memory of 940	4064	Gbpedjnb.exe	98
PID 4064 wrote to memory of 940	4064	Gbpedjnb.exe	98
PID 940 wrote to memory of 4760	940	Hhdcmp32.exe	99
PID 940 wrote to memory of 4760	940	Hhdcmp32.exe	99
PID 940 wrote to memory of 4760	940	Hhdcmp32.exe	99
PID 4760 wrote to memory of 3224	4760	Iimcma32.exe	100
PID 4760 wrote to memory of 3224	4760	Iimcma32.exe	100
PID 4760 wrote to memory of 3224	4760	Iimcma32.exe	100
PID 3224 wrote to memory of 824	3224	Jaonbc32.exe	101
PID 3224 wrote to memory of 824	3224	Jaonbc32.exe	101
PID 3224 wrote to memory of 824	3224	Jaonbc32.exe	101
PID 824 wrote to memory of 3880	824	Jhkbdmbg.exe	102
PID 824 wrote to memory of 3880	824	Jhkbdmbg.exe	102
PID 824 wrote to memory of 3880	824	Jhkbdmbg.exe	102
PID 3880 wrote to memory of 4488	3880	Klpakj32.exe	103
PID 3880 wrote to memory of 4488	3880	Klpakj32.exe	103
PID 3880 wrote to memory of 4488	3880	Klpakj32.exe	103
PID 4488 wrote to memory of 3688	4488	Lhnhajba.exe	104
PID 4488 wrote to memory of 3688	4488	Lhnhajba.exe	104
PID 4488 wrote to memory of 3688	4488	Lhnhajba.exe	104
PID 3688 wrote to memory of 4988	3688	Nfihbk32.exe	105
PID 3688 wrote to memory of 4988	3688	Nfihbk32.exe	105
PID 3688 wrote to memory of 4988	3688	Nfihbk32.exe	105
PID 4988 wrote to memory of 2756	4988	Nbphglbe.exe	106
PID 4988 wrote to memory of 2756	4988	Nbphglbe.exe	106
PID 4988 wrote to memory of 2756	4988	Nbphglbe.exe	106
PID 2756 wrote to memory of 4748	2756	Obgohklm.exe	107
PID 2756 wrote to memory of 4748	2756	Obgohklm.exe	107
PID 2756 wrote to memory of 4748	2756	Obgohklm.exe	107
PID 4748 wrote to memory of 4776	4748	Omopjcjp.exe	108
PID 4748 wrote to memory of 4776	4748	Omopjcjp.exe	108
PID 4748 wrote to memory of 4776	4748	Omopjcjp.exe	108
PID 4776 wrote to memory of 364	4776	Pqbala32.exe	109
PID 4776 wrote to memory of 364	4776	Pqbala32.exe	109
PID 4776 wrote to memory of 364	4776	Pqbala32.exe	109
PID 364 wrote to memory of 4680	364	Pplhhm32.exe	110
PID 364 wrote to memory of 4680	364	Pplhhm32.exe	110
PID 364 wrote to memory of 4680	364	Pplhhm32.exe	110
PID 4680 wrote to memory of 3828	4680	Amikgpcc.exe	111

C:\Users\Admin\AppData\Local\Temp\193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe
"C:\Users\Admin\AppData\Local\Temp\193910d57bf1942bd44833a34404d8ea2a7181bde28ce69d53ad443f4df10aca.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\SysWOW64\Cgnomg32.exe
  C:\Windows\system32\Cgnomg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\Ddnobj32.exe
    C:\Windows\system32\Ddnobj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\SysWOW64\Eqdpgk32.exe
      C:\Windows\system32\Eqdpgk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2656
    - - C:\Windows\SysWOW64\Eklajcmc.exe
        
        C:\Windows\system32\Eklajcmc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\SysWOW64\Eghkjdoa.exe
        
        C:\Windows\system32\Eghkjdoa.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Fbbicl32.exe
        
        C:\Windows\system32\Fbbicl32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\SysWOW64\Gnpphljo.exe
        
        C:\Windows\system32\Gnpphljo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Gbpedjnb.exe
        
        C:\Windows\system32\Gbpedjnb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
        
        C:\Windows\SysWOW64\Hhdcmp32.exe
        
        C:\Windows\system32\Hhdcmp32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Iimcma32.exe
        
        C:\Windows\system32\Iimcma32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\SysWOW64\Jaonbc32.exe
        
        C:\Windows\system32\Jaonbc32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Jhkbdmbg.exe
        
        C:\Windows\system32\Jhkbdmbg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\SysWOW64\Lhnhajba.exe
        
        C:\Windows\system32\Lhnhajba.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Nfihbk32.exe
        
        C:\Windows\system32\Nfihbk32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\Nbphglbe.exe
        
        C:\Windows\system32\Nbphglbe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Obgohklm.exe
        
        C:\Windows\system32\Obgohklm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Omopjcjp.exe
        
        C:\Windows\system32\Omopjcjp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4748
        
        C:\Windows\SysWOW64\Pqbala32.exe
        
        C:\Windows\system32\Pqbala32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4776
        
        C:\Windows\SysWOW64\Pplhhm32.exe
        
        C:\Windows\system32\Pplhhm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Amikgpcc.exe
        
        C:\Windows\system32\Amikgpcc.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4680
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Dckoia32.exe
        
        C:\Windows\system32\Dckoia32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Edaaccbj.exe
        
        C:\Windows\system32\Edaaccbj.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4668
        
        C:\Windows\SysWOW64\Eddnic32.exe
        
        C:\Windows\system32\Eddnic32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        30⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 224
        31⤵
        Program crash
        
        PID:3188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 224
        31⤵
        Program crash
        
        PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4492 -ip 4492
1⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afhfaddk.exe

Filesize
370KB

MD5
02773fc59333741c57b0fcf907266799

SHA1
d93322ab253eed05b4dbf41bffdf29b2905bea91

SHA256
2171446216a5bd54f30a9c2a2812f147a7963767e4e9142fd99673a629a1f86b

SHA512
d71fac42f772287e5435815949af9cc66434cff7f1459e1bf98b5f4a86290ac740868a4305de259c221c2466ca00c8a9c8e4ad9289f65c39f08257f68de03596

Download Submit
C:\Windows\SysWOW64\Amikgpcc.exe

Filesize
370KB

MD5
d6b9d360c0e7bca0f7c0542e50d02c4f

SHA1
a29deef108729a933de41edcae0c3b476c3bd8b3

SHA256
c369bc2de67c29e5080391eb88d0c3f74a874c11ce778bc2c54084064c73c45d

SHA512
00f924e25e1c9c7d8b20757590bedc0839dab4a65abe55641090b698dfd38510216a09ea92a84a2d486c40dcf00245560ed791922dd435df8f31dafcb44ccb4a

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
370KB

MD5
b962b2d85f76ba391dc3dffe225f93c8

SHA1
e8b155c6655314e15b90653dab92dfa085d60202

SHA256
3b499ba2349c45d2dd785c4fcb043248b6636856435f2e2fe2a8b80f88137ffd

SHA512
09c2a13619058c1604b96263455ba16947d8c5740055e69a3d04a0f48f0d3a536d2162da3e5ce3058cf6cfe47309092b8a7b4b6ffc6e75cca6b7a5bd7636b5d5

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
370KB

MD5
2319c4c665d0238d2e8ac68c9d86226f

SHA1
a962202b2d52c2013e2d1ef1fa39c9ca04eda793

SHA256
1bb89fdb789fdec89dc0b2df47e1d2b0ca9d9d6a09b5d13fdad475657368712f

SHA512
e051bd7cc6d67741fee9d7c68f7859d80e9a21aad5f54b4dea7007104f9631aba8a54bc928ba4b62df1dba6d8c9c94c051942471a9a3c974606d8b4d624723b7

Download Submit
C:\Windows\SysWOW64\Dckoia32.exe

Filesize
370KB

MD5
94b931a0244e880935724325da619dc0

SHA1
3036edd0ce42ef3158339ace0796f755658216fb

SHA256
1b910b5972e044a5e80ce4c557fe374ed4e8549ac0ff40592a5926fa75cd565f

SHA512
6726ca1ac851be4194bfa52095c9b0090b312ad2888cd3730f14735a87968553b1b491d214c6574927fa179590eb90b7e961ebfabf208a36bd461abfe307b2d1

Download Submit
C:\Windows\SysWOW64\Ddnobj32.exe

Filesize
370KB

MD5
e8c2090e6273b206f461cc1abc6d97ac

SHA1
aeb954cee4b9c3a9abfdea3eb2dd0d366cacfebe

SHA256
cab34ace512aec993d75c9580b7559dee4b27aaa5d201dffc06ff8bcae4accf2

SHA512
892054c4214296a218f5bf3bcd0d70be5072d709310ea2618280cf68776a776dcfd3ce0915f9f98383bf3a6cac53873cfb04a9f3dac927d8a633231f84f6841e

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
370KB

MD5
97b16df37e77072e01f1a059df34ac02

SHA1
77dd75beb4915c676fe04eb2124bbb314b6c8453

SHA256
61abaa063847d5551aebaef764c0d53b3c9fc665a6e6a93893caa3db22b519f7

SHA512
5989a6c4907e0c8f4e8d1a8123818aaa2ab3eb5c0404afbac6280c336eb39d494ae5fd0924e8538764168d761e0588c2b4c74e29a0c4195e8832456ef0329b11

Download Submit
C:\Windows\SysWOW64\Edaaccbj.exe

Filesize
370KB

MD5
381c1eceada654c5809512e363ecaf52

SHA1
883a8eb49013d07a921c446eac308f5c4055fd0b

SHA256
e3a8bfbef92da286bf110e65ea8ef22601c77236f4d1230acaf8b20e4f923dfa

SHA512
5a0955c6115403d91241f20ba6d4c8e35917599ac5f894028404eb50f77b2b45d4540ecdc92de90f13907336b84fd9d9c536e6526d8bd2480f6ced473ae4c79a

Download Submit
C:\Windows\SysWOW64\Eddnic32.exe

Filesize
370KB

MD5
9b40824f621ce2ee9ed36319ffa859eb

SHA1
b0daf1f3f21fd85dd7fa5308d7678164402b339f

SHA256
1db23d72380dc17c12cf9a6b3a9e4e288d441c2cb305974cb1cd72039070239a

SHA512
a45494936f64b728f74afa5aeae81ecb9a5a27d7d33fa24f08046fcc18c3c3885de71ffae85c493b243b805f54b2b19fb0cbbad88ff3ab44ed1eda3a287f678b

Download Submit
C:\Windows\SysWOW64\Eghkjdoa.exe

Filesize
370KB

MD5
d53ceb202289e86a7ee09b86a3602b6e

SHA1
6e81bb9728261afd8df8d0d8e45bd5aeb51abf9c

SHA256
ec6693c8aefcd96ca8ae4661fcb1f3db901ce9dabc1f928605843f68b194e4a2

SHA512
cb1841a4fcbf2c763cd11af2ba407a12e61d91f63e8488cbfb5ee677f1085b82a5ec2fe2c324401a6a72728ff75d7480c2c6948e9d8b8f202dd4a6f53f3398e0

Download Submit
C:\Windows\SysWOW64\Eklajcmc.exe

Filesize
370KB

MD5
467a86337c7015be9abb3ed953d67873

SHA1
046567b9741f45ceba929cce10e54998b495e08c

SHA256
7beda6c16d1f9819100d27ab455010fcdad8207274913ae23e976a1cd66ca51c

SHA512
cee92266b7292c0e95248c7b742e823e05a8aaca6b99b02bb2d661edd7f7c91ed1961e9bb0bd8b8c1848262a54a4b0a7219d54accc1d3f5b8c6f150e10fe53ef

Download Submit
C:\Windows\SysWOW64\Eqdpgk32.exe

Filesize
370KB

MD5
00343f65da0a2c9d4f431580f980ce89

SHA1
27cff5c6c8a340cc069fd145d7cbe8473c2743bd

SHA256
0c3be47ca4948bb212bbd2e07b605039740f6fcb878f2ff1d45efc12182f33ab

SHA512
eadf726a899f4601e58c85bbfafc8e2cabc748bfb096cc6413ad7417f6bfee65308c70e84f1ce9ac72431fc090386cdcf7edd7c2e0dbbadcf226b7c32543ea36

Download Submit
C:\Windows\SysWOW64\Fbbicl32.exe

Filesize
370KB

MD5
b5d1689eb5fb325621c65f9425348ebb

SHA1
6faec819280efa1a91cfcfc1fbf1728f9cb3ee98

SHA256
420ea209ebb3489053dd8e36877284785cdbda07354ef0551a7ec06c84fe48e4

SHA512
e31119db6dc1efd02596611803be7dd4af00ce5aef1da418c0fdf258f7860708a28ccc1616ab650e3669ac1481d017d60f41dac0107dd89dc1ea1d67bb9c77fc

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
370KB

MD5
7ff95a23ff799b49e0e7d316daab9a09

SHA1
d2090731299a620cec75f7f7f6c9dc5c03deb786

SHA256
902300bc74fbcf931a1c320711268bce5dbf24e4cf64a04d1bd784fa833f24f2

SHA512
3a3f69d9203964977dc195c7c7dcc8e379c1ce16d4a8b30961595e75d1547129bb59c245ffab24cfa7a4a739d3b82f4971ad8c8d738ec64891a90e5727300996

Download Submit
C:\Windows\SysWOW64\Gbpedjnb.exe

Filesize
370KB

MD5
bf2cb83be9ac9797c124bb318e27ea10

SHA1
8b11bfae3f421a4734158e6afabe7963f7df9138

SHA256
b3b941fb31a92bb1709e08998f31ee2d5a8040c4285f00ec4c0c430bccbf3625

SHA512
18bd351efa1240f100a83be71e9ada87744f0b2d1cb8a3106f7d166d5347ea6578851389b8ee83cb712e5237adb55a60c40b12edbcec5b3ca0f88ec2fc156205

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
256KB

MD5
e674cf22e1a82852459ffd1ea65b9998

SHA1
4161530558a47fceed9532b9a027aa5887f3e22f

SHA256
2910b249a2c8426aa6a75c1370355242a72d8ebf5cb60df723ed57a78554ad63

SHA512
2b5640cf30c1040126241b0bfc297c7cc6cf6005b6800ae90696fc7bd6a3a4fd4511e55c3e00455491c896cc7fe2b64ad5d94587116c329d83b4e47568524b49

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
370KB

MD5
9f4e0df4cfdea73db8b514585e30d184

SHA1
04a132a798d2cdc15f18e1daac4c61abcfc44adf

SHA256
9e60639b28e20ec7606d213e8f8f48271551c62b532e07887e422d4bae556739

SHA512
12014b69cd0fbe04afcbe1600cf13024fd391ab607e1f5801a8ba2a739a317e4f380bbf8bdd75bd700075ab33f080156c56d96a88f4d73818ed5705a0b5a4e57

Download Submit
C:\Windows\SysWOW64\Gnpphljo.exe

Filesize
370KB

MD5
f52c4c15eda8b2912421d164fd866faa

SHA1
e2817e783f716af9daa80f9f3b8ba02ac8d62145

SHA256
f22b3b3af5ba3277938e2d7f29835aee00fa1dae191d3cf6f5090fd5aa80e35f

SHA512
1212232794764e0cc2dbdbf97f289469c747da53239b892d7cfe246465a69058a643694f9331ef2643663b4c3522dcc7a534180330c174873df015bc63efe9a4

Download Submit
C:\Windows\SysWOW64\Hhdcmp32.exe

Filesize
370KB

MD5
aca7b839366f0fd470bd9c14a61bfddb

SHA1
73612bddb8d934e14695b4f3e1d1b49b7773e07e

SHA256
24816fa5c77b74b3bb05e15d8e6ce74357a75be62223a2dd2bc15e368bdcbe07

SHA512
e1b2757906d6671aa3097d353520aa21ba1495a0a92ab2134351e69399d94e63ebf402213e19d33f2296c3034a0eb01ae2d2c6602402c8506c211abfc7d720e3

Download Submit
C:\Windows\SysWOW64\Iimcma32.exe

Filesize
370KB

MD5
e365ad8272f25b3d0451b7f7d8458ecb

SHA1
940093bac33635bb614cd75a0392b96736330e22

SHA256
723aecebac33b92b72b80847cb2ba25b7f53bb7ac17bb58822a6be73f2eaa4a7

SHA512
af18536ff15386198b0167c2df3c1fec046a57f48c053fff878e1c996dd33e8f75a2cef59485ac7cc8fbb1bf2463976874115a8aa2b8fd7e1d708d166adb08f0

Download Submit
C:\Windows\SysWOW64\Jaonbc32.exe

Filesize
370KB

MD5
06705ea92dfd0c12d0697a0075af5dc2

SHA1
22476c18d43cdda93b25b5e8b33d3a43da189137

SHA256
b05fa66e615a40b00d5194a9bffb1ab662d48439d53bab59e47ba8a19120047f

SHA512
2a1ef80813c442e7396fbbcc0216913b06fa7c79bea659e213b7ecf1d638761b4eee68659546597add30c2db248d9f3139c5dd031e9cd300488b8a2e40cd8302

Download Submit
C:\Windows\SysWOW64\Jhkbdmbg.exe

Filesize
370KB

MD5
9ad51ddaf083095f7003072376500472

SHA1
aa6e792b616185f52f99e16f75d0b2a89b529bdd

SHA256
65f734406e4dad629f385c2fa20165b169ee4a1e17b908d692f6f10cc005c324

SHA512
b506e52a016a8421e45054d4e0c4f989048167510f7f2a2a49b4b855b11e2a1dbd91f446417f27ef28e1700430beca5b8d43d4a76bbc02e12b7cf73e550df241

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
192KB

MD5
893b37f76f70e4cd5b7254233f5027ed

SHA1
f1efca197cf6ceb37eb853095780358c0db04b81

SHA256
dbbd49c37258a06c1ef68ac863e4b623dedd6a2e0f8199403a7eea5dddc7fea8

SHA512
760f0ddcdd798bb5fbec48167d44e7cd1f259a0ff9772a982081125eb2126d5dd48ee1e1ec686f7f52316fca9760ecf1da4ea9665849ba5c45a221a8efac79fb

Download Submit
C:\Windows\SysWOW64\Klpakj32.exe

Filesize
370KB

MD5
50131805d4acc4bb70c55c20ad99d255

SHA1
d498a04d68aeb69e5c452a39776509704af7b69f

SHA256
66306352802525937173d87dc15d1156770aa8d6d6eda838380f473201dd310b

SHA512
0ac5a551df2ad98e4d682b07e54be9dab430aed2220a715c8dcd195a82512e0c5be87722e3e2ab9411850043e8e6bd00f53f3a611990a853fd5d7ecb368b5e53

Download Submit
C:\Windows\SysWOW64\Lhnhajba.exe

Filesize
370KB

MD5
e31f75a45f8e36c5e68cef9909c7854f

SHA1
76215c5b6cc72a790653997a352c5b038fdbf22c

SHA256
0f6e6e8bb7a743c34982ca05ea18c0155df0c8c0970c80691d713c8536efdfd6

SHA512
3a74010ed446878c2f9249f6f471cea7adeed7242615baba4cf1743d96639f0a40be0900c0bc9fff3359de480df905781129178f84176b21d606782f47fd0efa

Download Submit
C:\Windows\SysWOW64\Nbphglbe.exe

Filesize
370KB

MD5
7ccacba91cdd2c84c6f0f878e63c7991

SHA1
df6ff8cfcdc98f097b5fb7e99b95f38a07464930

SHA256
14c3a4fa864a9fed839022266ed433a3e5511e4c02c332a9c4ad04634cd50e58

SHA512
95eb925ecc2720be9efd660a9ca5403661b2161c008bc2c2a1754b09b198fe3aeb07c84204f34c0dec49fc07d6c763925ebc1b312822ed61aa1abc94e431da2f

Download Submit
C:\Windows\SysWOW64\Nfihbk32.exe

Filesize
370KB

MD5
ae9b6094e4684cdd11c13be921b21d38

SHA1
60570f2e2bb6cb01faac1946f6bfbe581ce60aa9

SHA256
b82f784ad8b23c2d42e265fc88fdb3d79c3ac060a8776c2aff328bef0c60b8ba

SHA512
b8d107a7f4ee55cb6355fd63fa8ed0d59c437895d0c71387ead7b024f7dada85c3b529302e75905ea64cfb6d23385fd7fbeb9650d05c257b46960e7932ef35b8

Download Submit
C:\Windows\SysWOW64\Obgohklm.exe

Filesize
370KB

MD5
223f5af395c4f6ab3a08a644ff88ced9

SHA1
225efb75078aaaca5871635ebcd6ea4dd1766d90

SHA256
4830c77007d7e49d221821ce828c7b2850599a8519901edd23ccbba235c6da0a

SHA512
b99bc68173997b492dc48bbfeb698b49a002a7572fd8049986e3954ae3f4777743fa8d66b48ad0e0b6fc9ff083bb880cfac1f28fa4307c7391ef65bd6492fd22

Download Submit
C:\Windows\SysWOW64\Omopjcjp.exe

Filesize
370KB

MD5
1663cfd9046d9497feebe9d0ac68573d

SHA1
012b9a8c46d69a49b1a20b5dc7a917dd5961df70

SHA256
330295257543d78548c24c3270d50788220ea385e088a517da74463f213d0035

SHA512
d3061bc1d1365f26da1b7ee671b7b919f96cbc0c0b3e3ac20e6abebfeb3f283d4108a817d40dddfa0c108aa51b939545060125662c63bb1faa5a4d7f91dba48d

Download Submit
C:\Windows\SysWOW64\Pplhhm32.exe

Filesize
370KB

MD5
f82223e099adba93b8c4aca89509c74f

SHA1
92d8faf2967f85801fcaba327671e5d02adbe5f8

SHA256
563b2f306bb8b71419e05a31c19ab22c6701c40ad70c2948d480f35fc6571d82

SHA512
837f710b5b4f409095d83b7303cef20d59a78f600981f575037b5fd5c677008e3fc329c392ed170b4314f2baf19993756b2d1c93b7b64218d40c623b23979b6f

Download Submit
C:\Windows\SysWOW64\Pqbala32.exe

Filesize
370KB

MD5
c647e80c397f99f70b278852774694d2

SHA1
5907e689e71b51b0906ff6cdb94d9c48915a2c3e

SHA256
0f7f39b3bc2b1e67007baf95febe5a0360ec7e400a91ecc518e8d1a3df6520d6

SHA512
98ab15f5d6926e50c332d8dd2d21bea6ae608dbf543bc89fc50e7cdbfc1cbba606e99e4b301226661771609b55e15cb3dba9580c892d9d1334bc727c8524e433

Download Submit
memory/364-162-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/364-351-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/764-311-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/764-33-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/824-331-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/824-98-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/940-325-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/940-73-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1036-223-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1036-368-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1712-194-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1712-362-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2040-295-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2040-9-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2472-313-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2472-41-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2656-303-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2656-25-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2756-343-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2756-139-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3224-90-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3224-329-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3688-122-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3688-339-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3828-178-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3828-355-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3880-106-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3880-333-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3916-317-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3916-57-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4064-319-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4064-65-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4256-370-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4256-233-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4292-81-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4292-297-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4292-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4292-294-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4292-1-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4300-296-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4300-18-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4360-364-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4360-218-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4488-114-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4488-337-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4492-242-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4492-375-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4552-186-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4552-357-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4668-220-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4668-366-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4672-49-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4672-315-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4680-353-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4680-170-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4748-147-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4748-345-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4760-327-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4760-83-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4776-347-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4776-155-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4988-130-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/4988-341-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads