b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23/04/2024, 03:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Size

400KB
MD5

8484875c40a01f7a4c3c3696db19f79b
SHA1

346187ea9d24f7795aee82238f4061962e346638
SHA256

b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204
SHA512

856bae9e1bf2fd67f922d31739621c9a63f9934993598f5faedd3d92c4b49232b04fddfd3ab80fea1f19f1acfffc80af33ab4115adf26b4fde609ce3728f2516
SSDEEP

6144:L36zHYk8vlqZVoBqvl8ZV4U/vlfl+9DvlEZV4U/vlf0DrBqvl8ZV1:j6kk8vmgqvQ6IvYvc6IveDVqvQ/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekklaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efncicpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glaoalkh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqlafm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffbicfoc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmjaic32.exe

Executes dropped EXE 25 IoCs

pid	Process
1464	Djnpnc32.exe
2720	Dnlidb32.exe
1736	Dqlafm32.exe
2708	Dgfjbgmh.exe
2556	Efncicpm.exe
2508	Ekklaj32.exe
3068	Ejbfhfaj.exe
2628	Fehjeo32.exe
2756	Fjgoce32.exe
2660	Ffnphf32.exe
2024	Fphafl32.exe
2836	Ffbicfoc.exe
1700	Gicbeald.exe
1328	Glaoalkh.exe
668	Gkkemh32.exe
1108	Gmjaic32.exe
1872	Hdfflm32.exe
2876	Hggomh32.exe
1276	Hcnpbi32.exe
1792	Hlfdkoin.exe
876	Hacmcfge.exe
1824	Hhmepp32.exe
2968	Ieqeidnl.exe
1040	Idceea32.exe
2924	Iagfoe32.exe

Loads dropped DLL 54 IoCs

pid	Process
1420	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
1420	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
1464	Djnpnc32.exe
1464	Djnpnc32.exe
2720	Dnlidb32.exe
2720	Dnlidb32.exe
1736	Dqlafm32.exe
1736	Dqlafm32.exe
2708	Dgfjbgmh.exe
2708	Dgfjbgmh.exe
2556	Efncicpm.exe
2556	Efncicpm.exe
2508	Ekklaj32.exe
2508	Ekklaj32.exe
3068	Ejbfhfaj.exe
3068	Ejbfhfaj.exe
2628	Fehjeo32.exe
2628	Fehjeo32.exe
2756	Fjgoce32.exe
2756	Fjgoce32.exe
2660	Ffnphf32.exe
2660	Ffnphf32.exe
2024	Fphafl32.exe
2024	Fphafl32.exe
2836	Ffbicfoc.exe
2836	Ffbicfoc.exe
1700	Gicbeald.exe
1700	Gicbeald.exe
1328	Glaoalkh.exe
1328	Glaoalkh.exe
668	Gkkemh32.exe
668	Gkkemh32.exe
1108	Gmjaic32.exe
1108	Gmjaic32.exe
1872	Hdfflm32.exe
1872	Hdfflm32.exe
2876	Hggomh32.exe
2876	Hggomh32.exe
1276	Hcnpbi32.exe
1276	Hcnpbi32.exe
1792	Hlfdkoin.exe
1792	Hlfdkoin.exe
876	Hacmcfge.exe
876	Hacmcfge.exe
1824	Hhmepp32.exe
1824	Hhmepp32.exe
2968	Ieqeidnl.exe
2968	Ieqeidnl.exe
1040	Idceea32.exe
1040	Idceea32.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe
816	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ekklaj32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Ipjchc32.dll	Fphafl32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Mkaggelk.dll	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Dlgohm32.dll	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Fjgoce32.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Fphafl32.exe	Ffnphf32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Dgfjbgmh.exe	Dqlafm32.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Djnpnc32.exe	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Kegiig32.dll	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Maphhihi.dll	Efncicpm.exe
File opened for modification	C:\Windows\SysWOW64\Ejbfhfaj.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Jkoginch.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Ffnphf32.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Glaoalkh.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Efncicpm.exe	Dgfjbgmh.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Ffnphf32.exe	Fjgoce32.exe
File created	C:\Windows\SysWOW64\Jbelkc32.dll	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Ffbicfoc.exe	Fphafl32.exe
File created	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Gmjaic32.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Djnpnc32.exe	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
File created	C:\Windows\SysWOW64\Ekklaj32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Ejbfhfaj.exe	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Kleiio32.dll	Ffbicfoc.exe
File created	C:\Windows\SysWOW64\Addnil32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Efncicpm.exe	Dgfjbgmh.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Gmjaic32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Hecjkifm.dll	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Jfpjfeia.dll	Dnlidb32.exe
File created	C:\Windows\SysWOW64\Fphafl32.exe	Ffnphf32.exe
File opened for modification	C:\Windows\SysWOW64\Glaoalkh.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Dnlidb32.exe	Djnpnc32.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Ffbicfoc.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Glaoalkh.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Aimkgn32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Ambcae32.dll	Ekklaj32.exe
File created	C:\Windows\SysWOW64\Ffbicfoc.exe	Fphafl32.exe
File opened for modification	C:\Windows\SysWOW64\Gmjaic32.exe	Gkkemh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
816	2924	WerFault.exe	52

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djnpnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekklaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmjaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgfjbgmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fphafl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maphhihi.dll"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpjfeia.dll"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aimkgn32.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecjkifm.dll"	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkoginch.dll"	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffnphf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjchc32.dll"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnlidb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjgoce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djnpnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaggelk.dll"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oadqjk32.dll"	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffbicfoc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkojpojq.dll"	Dgfjbgmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbelkc32.dll"	Ffnphf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegiig32.dll"	Fjgoce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Glaoalkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Gmjaic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fphafl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 1464	1420	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe	28
PID 1420 wrote to memory of 1464	1420	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe	28
PID 1420 wrote to memory of 1464	1420	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe	28
PID 1420 wrote to memory of 1464	1420	b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe	28
PID 1464 wrote to memory of 2720	1464	Djnpnc32.exe	29
PID 1464 wrote to memory of 2720	1464	Djnpnc32.exe	29
PID 1464 wrote to memory of 2720	1464	Djnpnc32.exe	29
PID 1464 wrote to memory of 2720	1464	Djnpnc32.exe	29
PID 2720 wrote to memory of 1736	2720	Dnlidb32.exe	30
PID 2720 wrote to memory of 1736	2720	Dnlidb32.exe	30
PID 2720 wrote to memory of 1736	2720	Dnlidb32.exe	30
PID 2720 wrote to memory of 1736	2720	Dnlidb32.exe	30
PID 1736 wrote to memory of 2708	1736	Dqlafm32.exe	31
PID 1736 wrote to memory of 2708	1736	Dqlafm32.exe	31
PID 1736 wrote to memory of 2708	1736	Dqlafm32.exe	31
PID 1736 wrote to memory of 2708	1736	Dqlafm32.exe	31
PID 2708 wrote to memory of 2556	2708	Dgfjbgmh.exe	32
PID 2708 wrote to memory of 2556	2708	Dgfjbgmh.exe	32
PID 2708 wrote to memory of 2556	2708	Dgfjbgmh.exe	32
PID 2708 wrote to memory of 2556	2708	Dgfjbgmh.exe	32
PID 2556 wrote to memory of 2508	2556	Efncicpm.exe	33
PID 2556 wrote to memory of 2508	2556	Efncicpm.exe	33
PID 2556 wrote to memory of 2508	2556	Efncicpm.exe	33
PID 2556 wrote to memory of 2508	2556	Efncicpm.exe	33
PID 2508 wrote to memory of 3068	2508	Ekklaj32.exe	34
PID 2508 wrote to memory of 3068	2508	Ekklaj32.exe	34
PID 2508 wrote to memory of 3068	2508	Ekklaj32.exe	34
PID 2508 wrote to memory of 3068	2508	Ekklaj32.exe	34
PID 3068 wrote to memory of 2628	3068	Ejbfhfaj.exe	35
PID 3068 wrote to memory of 2628	3068	Ejbfhfaj.exe	35
PID 3068 wrote to memory of 2628	3068	Ejbfhfaj.exe	35
PID 3068 wrote to memory of 2628	3068	Ejbfhfaj.exe	35
PID 2628 wrote to memory of 2756	2628	Fehjeo32.exe	36
PID 2628 wrote to memory of 2756	2628	Fehjeo32.exe	36
PID 2628 wrote to memory of 2756	2628	Fehjeo32.exe	36
PID 2628 wrote to memory of 2756	2628	Fehjeo32.exe	36
PID 2756 wrote to memory of 2660	2756	Fjgoce32.exe	37
PID 2756 wrote to memory of 2660	2756	Fjgoce32.exe	37
PID 2756 wrote to memory of 2660	2756	Fjgoce32.exe	37
PID 2756 wrote to memory of 2660	2756	Fjgoce32.exe	37
PID 2660 wrote to memory of 2024	2660	Ffnphf32.exe	38
PID 2660 wrote to memory of 2024	2660	Ffnphf32.exe	38
PID 2660 wrote to memory of 2024	2660	Ffnphf32.exe	38
PID 2660 wrote to memory of 2024	2660	Ffnphf32.exe	38
PID 2024 wrote to memory of 2836	2024	Fphafl32.exe	39
PID 2024 wrote to memory of 2836	2024	Fphafl32.exe	39
PID 2024 wrote to memory of 2836	2024	Fphafl32.exe	39
PID 2024 wrote to memory of 2836	2024	Fphafl32.exe	39
PID 2836 wrote to memory of 1700	2836	Ffbicfoc.exe	40
PID 2836 wrote to memory of 1700	2836	Ffbicfoc.exe	40
PID 2836 wrote to memory of 1700	2836	Ffbicfoc.exe	40
PID 2836 wrote to memory of 1700	2836	Ffbicfoc.exe	40
PID 1700 wrote to memory of 1328	1700	Gicbeald.exe	41
PID 1700 wrote to memory of 1328	1700	Gicbeald.exe	41
PID 1700 wrote to memory of 1328	1700	Gicbeald.exe	41
PID 1700 wrote to memory of 1328	1700	Gicbeald.exe	41
PID 1328 wrote to memory of 668	1328	Glaoalkh.exe	42
PID 1328 wrote to memory of 668	1328	Glaoalkh.exe	42
PID 1328 wrote to memory of 668	1328	Glaoalkh.exe	42
PID 1328 wrote to memory of 668	1328	Glaoalkh.exe	42
PID 668 wrote to memory of 1108	668	Gkkemh32.exe	43
PID 668 wrote to memory of 1108	668	Gkkemh32.exe	43
PID 668 wrote to memory of 1108	668	Gkkemh32.exe	43
PID 668 wrote to memory of 1108	668	Gkkemh32.exe	43

C:\Users\Admin\AppData\Local\Temp\b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe
"C:\Users\Admin\AppData\Local\Temp\b9799eabf17621446b296231399e956e8c6204f8eb0c048a5a379bfa93aa3204.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\Djnpnc32.exe
  C:\Windows\system32\Djnpnc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1464
- - C:\Windows\SysWOW64\Dnlidb32.exe
    C:\Windows\system32\Dnlidb32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\SysWOW64\Dqlafm32.exe
      C:\Windows\system32\Dqlafm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\SysWOW64\Dgfjbgmh.exe
        
        C:\Windows\system32\Dgfjbgmh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\SysWOW64\Ekklaj32.exe
        
        C:\Windows\system32\Ekklaj32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Fjgoce32.exe
        
        C:\Windows\system32\Fjgoce32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\SysWOW64\Ffnphf32.exe
        
        C:\Windows\system32\Ffnphf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\SysWOW64\Fphafl32.exe
        
        C:\Windows\system32\Fphafl32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ffbicfoc.exe
        
        C:\Windows\system32\Ffbicfoc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Glaoalkh.exe
        
        C:\Windows\system32\Glaoalkh.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\Gmjaic32.exe
        
        C:\Windows\system32\Gmjaic32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2876
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:876
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        26⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dqlafm32.exe

Filesize
400KB

MD5
d88f1a72defbbcc1a293328f611e2169

SHA1
3e04b879ad7b802e65e4686611060264ef2b089a

SHA256
5a849c26fb4dbcc527f0604e9810fce28cf79cdd29b0941e3874d05faf0be285

SHA512
b4eeb66e7606d5dfa40ddd17ac22190c977164938a0c67422455b3610a067096eeae271d57f1678339b261a15150c3000c9537e45f5d89f7291f8e8c060094f1

Download Submit
C:\Windows\SysWOW64\Efncicpm.exe

Filesize
400KB

MD5
bfdc402d7f1169e386cf9e08fc13da1b

SHA1
5c4df24fe88807f60a6cbd809abcf67c6a92c394

SHA256
1d9150605a1cea0eb05f6d09e7e388be882aef60a270b68102abeb256f2435b2

SHA512
f6b800a3da4618d85ba102d3dea87ae7e4a9e2693f1d27465d131fbe58175dbcc7cf5e8fbdf31ce66ac6eb9b82f20e863d0a7a51d2c1c1e365567fbb9ccb61a5

Download Submit
C:\Windows\SysWOW64\Fehjeo32.exe

Filesize
400KB

MD5
1f0ac63bd5064ae2b17a461ada020f00

SHA1
e9d5cbc10fad9338785a065760a2eae477ce2593

SHA256
255380f250875ca27236670b0a985ee2ba74d7aec906d84c1d0f8ccb3334cd65

SHA512
2c3ee8c715917f5daa9067f55022591296dde33102b09111350fa3b5a191bf2e534a463e3d8ea31b4021f187fc302f5c4d1f17ece739adde8ae3222779dbcb74

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
400KB

MD5
e851adac26cf734964a1856cf4792dd0

SHA1
32b523308eeaef5d7c7e62127c84230266bec7f4

SHA256
2897c39b3ac57bccb9b1cdae119029b241591910b52e73886a6949e271cfaeed

SHA512
574c5d2fc60b2e41d01a17dec88ee58cc3ffafc1dee51080e4c93b695ceb07fe6c4d2ec5f41f3fac16a45509dd5c37e80285d800a16a7e2add9f858eb35c5712

Download Submit
C:\Windows\SysWOW64\Gmjaic32.exe

Filesize
400KB

MD5
3873a8aae0c310570d720117cb949564

SHA1
4e9c7f43cf7374327fdf82430b832698bf5dd508

SHA256
b96b49b516c5d50315de4e88849351ec4eda05be2922b6af1b4dbd75ebd72069

SHA512
415307cfe467034446e8b590f1420ecad47fdb1ef7458eba5c81e264ba75f0749211c669aa7d97484e7c957c809e4702646e60a04d4b577dfda032fcb30d2f7f

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
400KB

MD5
44f4e7b3bff7cf0113a2f783de67ecf2

SHA1
3995aa7ce4098f1b7c735de20ae33c78e0a477a5

SHA256
96b84cf07189a07002172bcaec69f211451dd8d8fdc0f47561e53e5ca54d3ed0

SHA512
dbe1899f5f47ed01d4b951d105954a2307d5543a68c5b29ca17826447275a8515095f9a830e430c6a765a432c9ce792323b0fcbd81f5ac578997cc3794c3469d

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
400KB

MD5
3cbb1ee5fd1840d0517a2024c4b37e72

SHA1
8e6ce154274d94a33d9e9a3652f5e40d3e04a028

SHA256
20ed5de7de62bffbe882cb288041759dc7c14fa77b3b2d42d0e19a52f15d504c

SHA512
0f8ffb4522c39c51760cfcfa33dafa02af9edcea60b2f917a689955cabc01444add6e988fc17d81c254b769dc7541605cfe90dde14531e4a84a828a1edabb9bd

Download Submit
C:\Windows\SysWOW64\Hdfflm32.exe

Filesize
400KB

MD5
81d6607a9e826938a4c21065d7e7c543

SHA1
b2e89f5d01fac0e8ca8cd43838164f4dd050f6d3

SHA256
5953c1de3b5b298861801207191b45d3df2bf9a8f27baf59acb6b2cf2ddd8082

SHA512
ff35c8636eda4d932fb1bd86858a7a134b82349ee6b20870ad39e8d6e4b109bff8ce04779cd2526d5883ff353cd09ef0a73c297a1db74f53fe07fc4ab5baf477

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
400KB

MD5
e2bbb5482efbfee5dae4c9a04cdf037f

SHA1
315a31c5fd2fe431d4a784cc9231b67ba48da202

SHA256
9b5d41078ea10d5f2b529d388ca0d8a92b7799bbb989d2674cdacf3a7e70e239

SHA512
f37a27bf616a10532edfdf90fe4db424636fb958ecf4a346e1df2da6505a42926f50b4e1f704285d42748dae3f3a9e35892d4bdd4b677d781b09d49ffcd33553

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
400KB

MD5
8d62d89ff169d1820b0282df53e4d851

SHA1
a502b5aacb6c16e413a8c7d061248bf6374ab00b

SHA256
b0b718e9aa76390e31afac830fb3f96d02aa58e6bffa05b08a53b5f48d3c43d1

SHA512
b5832ba89790d11a76d1d18b57eebef6f6ed7e164ba616d7116bf9d22353473b134b36c185a1771f79a1b1d523043017adc958e726ac18fb2e255f9a9b5ad7fd

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
400KB

MD5
8198e8ff18612db83891cbebcd91d497

SHA1
ef762c190aa9cb2e5f87ab60452add33472f0cbf

SHA256
c7e1f7f4775f0dfb1209caf530dd4210155121950aff6d2fec228da3bd20c902

SHA512
53a4b52c54db601faf673447e8a5773eac7759df71a4800e8bd4ac4f05a84fa74edb9c50d1f97b7e8df20ce0f0ba1007c744b883ae0e76212dd04a5647491faa

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
400KB

MD5
81e757d3001f7803e4b48e99cee16157

SHA1
e5e007943ac0aab1fef8c456bdacfc12666222f6

SHA256
10a96f2fbd1ce547d05d4f50ead82afafe9a8ce2db20d5fcf83789fd7bbcbf36

SHA512
22c4475c293f0a67e5d368a2d6ca7d8404caf32519105bad8c7a8b181afd667ec2f564ecf0487238310d2d65d5ee28a095ad36f86261ebf130c54895cc16f1b7

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
400KB

MD5
a8d4082e680b85fd889cf6a10a6af914

SHA1
113de2a5206c2e96190b91ff91399acf815dd416

SHA256
1adae8c5d12e483f573dbc7f3eece82fb11b12773e06f62187cbfc591790969e

SHA512
eeb716e30b6a23cb54756ad9af886cbbf5ca70acd277afa11f2743c9ae9386b820ed062d863f2b0cdb9e0015fecedc8af994d4a1969c873fb51666d21a67503e

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
400KB

MD5
eaecbcecf7ff30457e2ef1cbb77280fa

SHA1
d16c8d6c81ff924c6297256b31dd86330a7f4511

SHA256
3bca1cccd29d0e2bca2f9e91c4ecdbaf2848a5efdaa52791787ccc53d91dd82f

SHA512
3b54918c5d8b2dc0e561a8f074a7f582efdf017bfe7ffbe93849a22ffd008beb79f7d08aa5f2e2bc378f20691998bd335f59a4ebfc8e8ace326fc3d58b453488

Download Submit
\Windows\SysWOW64\Dgfjbgmh.exe

Filesize
400KB

MD5
24b7d4b15eef2a89fe5b8ebc3a7cf23f

SHA1
63e94221a37da74c38c4fe06fbd9fe4dd46ff987

SHA256
dfd94a2799ad0314d0306a91b2aed65efe5265e4795e16155d9f8d34e60c940b

SHA512
10f8a3fb9e344236f85b9e4ef225a7386a7a280824813c62e1c26f97cfa2487b8554bc7db641212466cd1bf4c144758cef48eb72f477f52902dc085cc0846a5b

Download Submit
\Windows\SysWOW64\Djnpnc32.exe

Filesize
400KB

MD5
fe45108e73e2ce1e3c302f63357fab8e

SHA1
0da5d24e65fbc25ca6b320128ee7d3416be89374

SHA256
83123198e6326bdfab77bacd36b27ffc7a59dab7df93dea0dab6712c301ce89c

SHA512
526404c907c3104a0381ce27be82a8d96d532f2be4acde082cf95ce24042505bc64006dc040b80329fd6d5ccd8a08c6f2207da3ad0379c44362dae8c574c1756

Download Submit
\Windows\SysWOW64\Dnlidb32.exe

Filesize
400KB

MD5
210903b61ad4f2fb75c5574d5d57efa1

SHA1
a56cf22c3454150cd71df0515c9d7e25d41bcd84

SHA256
f371cb3c02f50fd5efed78223595cd3ece82a81d0df9dbf7d66307b1168aa88f

SHA512
101bd38f9430cc503186781146c68a8a5d4aca92034e8125041f2e01a4e9f1890e9f593bd9c0435a25478d1f4bb6b2e9f2dd0546361d240d01255fc945768eca

Download Submit
\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
400KB

MD5
e4bf0c440db3a60fb38164f0ad2492ca

SHA1
8078d1a0f55ef9db404826bfefdbf4971f5889b4

SHA256
ff49af9a66f65384be8274383e036865bc94376bdb2c6848497ce74cd08535e5

SHA512
b3848c0049e28db6e54c456d2aad5b3e613e04be6748a2f7927851e5fd4ec92ee91af5a26feb51b41618c8da0b6578de10f054dfbeb53842a5e77bd712e3064d

Download Submit
\Windows\SysWOW64\Ekklaj32.exe

Filesize
400KB

MD5
b2bbfb164abdc7d72952f3658c90dbae

SHA1
72ddf68ee9f97b9186cdec487aaa1747bbba5e02

SHA256
1209ed32a62ca17cd21ceb81c67674907dc8120da6c85fbe4f49b53315880f9d

SHA512
ed6d403fb584c8e6697e7e97a87aa1858689b49f50f2eaff860a616547ca38d9d3a7c4392f6640b3f2413db03de563063cebd635b4c9067d2d4ebfc1ca865b97

Download Submit
\Windows\SysWOW64\Ffbicfoc.exe

Filesize
400KB

MD5
4b086c2472da297de21d75ac2b4fcd7b

SHA1
6abcca5a631b6e1f6084069d435b66c5dba8451e

SHA256
1fd0247e3cafd5518d978664928021a769543aa37a2fe98202affd49483c2978

SHA512
fd5cbf9757b3c9518969ccb66d6895f0c969dbc7bd37981ba4f6f046035d214811b1af50f85caba55bfbc5d04f86c50b7cca0ffb45a75ebc53ce321a757061da

Download Submit
\Windows\SysWOW64\Ffnphf32.exe

Filesize
400KB

MD5
482417937f7338f8312afafa5ea47480

SHA1
144d8e6cffc0dec594190d739916fb0602f62583

SHA256
4b3df6da3bf49d0cf724a71c6bd13f61f5130fff0f1e31f9659f77d8067ed463

SHA512
671cd0d212b14dc9340ebc93f07fb3a96d95b7f8f6d89806ffe6803b8560d38eff807cec53982fc865c438bbd2aea28ec826acd33e43575da2c3988f6f6d45a9

Download Submit
\Windows\SysWOW64\Fjgoce32.exe

Filesize
400KB

MD5
6395e486a462278206d9caa898ec3754

SHA1
101342ab2bbe29d3198a1adc685c22d42c4b0966

SHA256
7ba90a62f8a4093bebe51ea75906bc5ee5daf75c97fbd749257516edb0a8550b

SHA512
c60a35a37d7f43cdbe5ebc9a5490095ce734206f23614fa0deb4faddecae7834424a7e6eb2d975a5eb78fb8841c087c631ef1cc008aea096ac5755448ba7cab5

Download Submit
\Windows\SysWOW64\Fphafl32.exe

Filesize
400KB

MD5
4558aed64435b25397c3e486c5be0cdb

SHA1
e21a758a578ae4f7ebc50c2fa08fb04417028b9f

SHA256
5fc849e2d6a6c263a878c90f8b07d5e6681fae2b7accad31d4696a95ce4d4129

SHA512
9704b85a04bfd58420975f06057009523566aa2d87a628022df7bd67465e2b029808e749c762e23e7c80b5f37f905c7f984e31b9bc7711647fd5eb859d4bcdca

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
400KB

MD5
793ed76ff653ede962c4a051cde8d9cb

SHA1
da480372d2eee653126885f366a31a61cf74fe34

SHA256
a7b6ea9e94c2259b515a7463c0bf13199233d358c0784ce7210da2b2d484f2ac

SHA512
567f6d04698cd203f01d9b30d24d5b04e2b25442950d1d009c8c02646e89a832714a65056f4b1c0b20a88e8d60f8b430677266e72534c756d3e7acb9a766f444

Download Submit
\Windows\SysWOW64\Glaoalkh.exe

Filesize
400KB

MD5
6b37e705b76c8afffff52aaf7de0583d

SHA1
cabd84e5d40b5e763f88059dc2e681b4582fc62e

SHA256
8aa354dd47469a7dfc92e665f3d4f7913d214d7ba628f9d5c3f92183fdf3da3f

SHA512
23a03da1405d5b38d0141352767518940efe9c80e02527583d68495c862d06fd2d8fc27b113f530c96eac59435ef486aa8d30e1f4d9a27c8fcab808b7b819e07

Download Submit
memory/668-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/876-272-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/876-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-307-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1040-306-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1040-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1276-251-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1420-12-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1420-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1464-22-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/1464-19-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-185-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1700-190-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/1736-50-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1736-46-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1792-270-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1792-265-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1792-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-309-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1824-294-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1824-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-234-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1872-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1872-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2024-162-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2024-180-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2508-95-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2508-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2556-78-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2628-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2660-144-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-68-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2708-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2708-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2720-40-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2720-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-320-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2756-123-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2876-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-304-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2968-305-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3068-101-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3068-113-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads