e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1

Analysis

max time kernel
142s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/05/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Size

52KB
MD5

a6f1e2a178e4b876aada6538b7d60caa
SHA1

7b25d31a8ebe76c078ae245e1b8e2dde6bb9dccd
SHA256

e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1
SHA512

ad804ca02e2d03a9621d9480c239d110a923b19dcc4eb721536d309d2f4bcd2c1d687420134007c9cc2d21db1d2509508210973ed9695bce2ad2c1e8131fda95
SSDEEP

768:W6DguPYoxhy4AJb5+vtj3D2+1+Pp2emqQSBYGrdCOpodr/1H5:3MuAoxhyfx6lz2+1KAeCSBVJE5

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmjejphb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hodpgjha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghkllmoi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnagjbdf.exe

Executes dropped EXE 27 IoCs

pid	Process
2632	Fmjejphb.exe
2260	Feeiob32.exe
2572	Fmlapp32.exe
2484	Gfefiemq.exe
2620	Gicbeald.exe
2520	Ghhofmql.exe
3068	Gbnccfpb.exe
2900	Ghkllmoi.exe
3004	Goddhg32.exe
2516	Gdamqndn.exe
1964	Gogangdc.exe
2852	Gphmeo32.exe
988	Hknach32.exe
1392	Hpkjko32.exe
1824	Hkpnhgge.exe
2940	Hlakpp32.exe
1720	Hdhbam32.exe
584	Hejoiedd.exe
1704	Hnagjbdf.exe
1132	Hcnpbi32.exe
2100	Hgilchkf.exe
1540	Hhjhkq32.exe
604	Hodpgjha.exe
2104	Hacmcfge.exe
1768	Hjjddchg.exe
572	Icbimi32.exe
1748	Iagfoe32.exe

Loads dropped DLL 58 IoCs

pid	Process
2056	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
2056	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
2632	Fmjejphb.exe
2632	Fmjejphb.exe
2260	Feeiob32.exe
2260	Feeiob32.exe
2572	Fmlapp32.exe
2572	Fmlapp32.exe
2484	Gfefiemq.exe
2484	Gfefiemq.exe
2620	Gicbeald.exe
2620	Gicbeald.exe
2520	Ghhofmql.exe
2520	Ghhofmql.exe
3068	Gbnccfpb.exe
3068	Gbnccfpb.exe
2900	Ghkllmoi.exe
2900	Ghkllmoi.exe
3004	Goddhg32.exe
3004	Goddhg32.exe
2516	Gdamqndn.exe
2516	Gdamqndn.exe
1964	Gogangdc.exe
1964	Gogangdc.exe
2852	Gphmeo32.exe
2852	Gphmeo32.exe
988	Hknach32.exe
988	Hknach32.exe
1392	Hpkjko32.exe
1392	Hpkjko32.exe
1824	Hkpnhgge.exe
1824	Hkpnhgge.exe
2940	Hlakpp32.exe
2940	Hlakpp32.exe
1720	Hdhbam32.exe
1720	Hdhbam32.exe
584	Hejoiedd.exe
584	Hejoiedd.exe
1704	Hnagjbdf.exe
1704	Hnagjbdf.exe
1132	Hcnpbi32.exe
1132	Hcnpbi32.exe
2100	Hgilchkf.exe
2100	Hgilchkf.exe
1540	Hhjhkq32.exe
1540	Hhjhkq32.exe
604	Hodpgjha.exe
604	Hodpgjha.exe
2104	Hacmcfge.exe
2104	Hacmcfge.exe
1768	Hjjddchg.exe
1768	Hjjddchg.exe
1576	Ilknfn32.exe
1576	Ilknfn32.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe
2740	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gicbeald.exe
File created	C:\Windows\SysWOW64\Pabfdklg.dll	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Gdamqndn.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Liqebf32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gphmeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hodpgjha.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hodpgjha.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hcnpbi32.exe	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Nbniiffi.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Cakqnc32.dll	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
File opened for modification	C:\Windows\SysWOW64\Gbnccfpb.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gicbeald.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Ghkllmoi.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gogangdc.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hodpgjha.exe
File created	C:\Windows\SysWOW64\Fmjejphb.exe	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
File created	C:\Windows\SysWOW64\Ghkllmoi.exe	Gbnccfpb.exe
File opened for modification	C:\Windows\SysWOW64\Gicbeald.exe	Gfefiemq.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Gfefiemq.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Gbnccfpb.exe	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Fmjejphb.exe	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
File created	C:\Windows\SysWOW64\Feeiob32.exe	Fmjejphb.exe
File created	C:\Windows\SysWOW64\Hghmjpap.dll	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Iebpge32.dll	Gbnccfpb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2740	1748	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabfdklg.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghkllmoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleiio32.dll"	Gfefiemq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gicbeald.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gicbeald.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcqgok32.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffgja32.dll"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iebpge32.dll"	Gbnccfpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqebf32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmjejphb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hodpgjha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbnccfpb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goddhg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2056 wrote to memory of 2632	2056	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe	28
PID 2056 wrote to memory of 2632	2056	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe	28
PID 2056 wrote to memory of 2632	2056	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe	28
PID 2056 wrote to memory of 2632	2056	e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe	28
PID 2632 wrote to memory of 2260	2632	Fmjejphb.exe	29
PID 2632 wrote to memory of 2260	2632	Fmjejphb.exe	29
PID 2632 wrote to memory of 2260	2632	Fmjejphb.exe	29
PID 2632 wrote to memory of 2260	2632	Fmjejphb.exe	29
PID 2260 wrote to memory of 2572	2260	Feeiob32.exe	30
PID 2260 wrote to memory of 2572	2260	Feeiob32.exe	30
PID 2260 wrote to memory of 2572	2260	Feeiob32.exe	30
PID 2260 wrote to memory of 2572	2260	Feeiob32.exe	30
PID 2572 wrote to memory of 2484	2572	Fmlapp32.exe	31
PID 2572 wrote to memory of 2484	2572	Fmlapp32.exe	31
PID 2572 wrote to memory of 2484	2572	Fmlapp32.exe	31
PID 2572 wrote to memory of 2484	2572	Fmlapp32.exe	31
PID 2484 wrote to memory of 2620	2484	Gfefiemq.exe	32
PID 2484 wrote to memory of 2620	2484	Gfefiemq.exe	32
PID 2484 wrote to memory of 2620	2484	Gfefiemq.exe	32
PID 2484 wrote to memory of 2620	2484	Gfefiemq.exe	32
PID 2620 wrote to memory of 2520	2620	Gicbeald.exe	33
PID 2620 wrote to memory of 2520	2620	Gicbeald.exe	33
PID 2620 wrote to memory of 2520	2620	Gicbeald.exe	33
PID 2620 wrote to memory of 2520	2620	Gicbeald.exe	33
PID 2520 wrote to memory of 3068	2520	Ghhofmql.exe	34
PID 2520 wrote to memory of 3068	2520	Ghhofmql.exe	34
PID 2520 wrote to memory of 3068	2520	Ghhofmql.exe	34
PID 2520 wrote to memory of 3068	2520	Ghhofmql.exe	34
PID 3068 wrote to memory of 2900	3068	Gbnccfpb.exe	35
PID 3068 wrote to memory of 2900	3068	Gbnccfpb.exe	35
PID 3068 wrote to memory of 2900	3068	Gbnccfpb.exe	35
PID 3068 wrote to memory of 2900	3068	Gbnccfpb.exe	35
PID 2900 wrote to memory of 3004	2900	Ghkllmoi.exe	36
PID 2900 wrote to memory of 3004	2900	Ghkllmoi.exe	36
PID 2900 wrote to memory of 3004	2900	Ghkllmoi.exe	36
PID 2900 wrote to memory of 3004	2900	Ghkllmoi.exe	36
PID 3004 wrote to memory of 2516	3004	Goddhg32.exe	37
PID 3004 wrote to memory of 2516	3004	Goddhg32.exe	37
PID 3004 wrote to memory of 2516	3004	Goddhg32.exe	37
PID 3004 wrote to memory of 2516	3004	Goddhg32.exe	37
PID 2516 wrote to memory of 1964	2516	Gdamqndn.exe	38
PID 2516 wrote to memory of 1964	2516	Gdamqndn.exe	38
PID 2516 wrote to memory of 1964	2516	Gdamqndn.exe	38
PID 2516 wrote to memory of 1964	2516	Gdamqndn.exe	38
PID 1964 wrote to memory of 2852	1964	Gogangdc.exe	39
PID 1964 wrote to memory of 2852	1964	Gogangdc.exe	39
PID 1964 wrote to memory of 2852	1964	Gogangdc.exe	39
PID 1964 wrote to memory of 2852	1964	Gogangdc.exe	39
PID 2852 wrote to memory of 988	2852	Gphmeo32.exe	40
PID 2852 wrote to memory of 988	2852	Gphmeo32.exe	40
PID 2852 wrote to memory of 988	2852	Gphmeo32.exe	40
PID 2852 wrote to memory of 988	2852	Gphmeo32.exe	40
PID 988 wrote to memory of 1392	988	Hknach32.exe	41
PID 988 wrote to memory of 1392	988	Hknach32.exe	41
PID 988 wrote to memory of 1392	988	Hknach32.exe	41
PID 988 wrote to memory of 1392	988	Hknach32.exe	41
PID 1392 wrote to memory of 1824	1392	Hpkjko32.exe	42
PID 1392 wrote to memory of 1824	1392	Hpkjko32.exe	42
PID 1392 wrote to memory of 1824	1392	Hpkjko32.exe	42
PID 1392 wrote to memory of 1824	1392	Hpkjko32.exe	42
PID 1824 wrote to memory of 2940	1824	Hkpnhgge.exe	43
PID 1824 wrote to memory of 2940	1824	Hkpnhgge.exe	43
PID 1824 wrote to memory of 2940	1824	Hkpnhgge.exe	43
PID 1824 wrote to memory of 2940	1824	Hkpnhgge.exe	43

C:\Users\Admin\AppData\Local\Temp\e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe
"C:\Users\Admin\AppData\Local\Temp\e296ebaf011828996828ab22b5385064aac6e96f6c707686ced272e28cec51b1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\SysWOW64\Fmjejphb.exe
  C:\Windows\system32\Fmjejphb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\Feeiob32.exe
    C:\Windows\system32\Feeiob32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\Windows\SysWOW64\Fmlapp32.exe
      C:\Windows\system32\Fmlapp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\Gfefiemq.exe
        
        C:\Windows\system32\Gfefiemq.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
      - C:\Windows\SysWOW64\Gicbeald.exe
        
        C:\Windows\system32\Gicbeald.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\Ghhofmql.exe
        
        C:\Windows\system32\Ghhofmql.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Gbnccfpb.exe
        
        C:\Windows\system32\Gbnccfpb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\SysWOW64\Ghkllmoi.exe
        
        C:\Windows\system32\Ghkllmoi.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:988
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Hlakpp32.exe
        
        C:\Windows\system32\Hlakpp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:584
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1704
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1540
        
        C:\Windows\SysWOW64\Hodpgjha.exe
        
        C:\Windows\system32\Hodpgjha.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:604
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Ilknfn32.exe
        
        C:\Windows\system32\Ilknfn32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1576
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fmlapp32.exe

Filesize
52KB

MD5
e07a8fe55c9320f86e9f97fac71b2270

SHA1
7ba587121fefb71b29c7749c69751da565659cdc

SHA256
931cb09e22f0f21be59088dc5ccf9784fa9d9cfb5dba66e5abfecc8d4af325a5

SHA512
fb0de2423312347ebc9132edea4c8d8471586c9bf7ccec59d05389926b50699307acb21e270453e4e54f6779c7c71c5cbdfe3121dede278f7c8f069826f86f71

Download Submit
C:\Windows\SysWOW64\Gbnccfpb.exe

Filesize
52KB

MD5
c67c6245bf726932e25c2918917907ce

SHA1
add33177f29d5a944cd0bf6ce6591cf56239fc32

SHA256
4a670ba3ab5a16b15f3082be983478065c08a3b8a5ef6e70c244da81c5e95b11

SHA512
e58b207396cb016558fdb426e7671c5f05c5dc0c79adb258e9e54fa8278bda6d3f2d8a39cc3abfa6270d4a11325a39495ceffe16ad5254cc6069b95d8efd6f07

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
52KB

MD5
a02d36dbd0e7c5ca18f203bc454f069c

SHA1
b0fa92ccaad19188ad163a9871f077447ec37a70

SHA256
d5dc7a17290b2cf60447a78397578a3b7851d228baeda4953f498b91163a7aab

SHA512
025e8bac34e0b5aac94af0098954866591a8102b67388b61b47a0bf3ed4793ac4eb1b8cd4894eb3c07b9f28955314cd9b6e47d6f783291e54e9aa5caaca15b31

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
52KB

MD5
1614dbe521749a695544553e80bd8362

SHA1
b7cc2c1c297e6e72db6e50849804adcfc814e9b5

SHA256
3febe59c518cf18c8a851f5688d4c59f337699b03b10a355e4c60dfee9734d19

SHA512
7b06601784567e2153b088476cd7526a227ccb9ac238db0bf303385fa26d869985b354dc594a7a2ce52327195602256e2b991aabb07a6c1ea427ade081a83abf

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
52KB

MD5
a4e5b6da74f7494853f724f89908286e

SHA1
628a554b75999db3f10cf5fbc24d8c4124e16522

SHA256
36e4cc0058dfece74e94531c190dcca68b92d8b326a7bdb6d10712197ee149a2

SHA512
356a2eb08d68d47154eb618acbf3c19519d26d3e8b668a2f888f6b2ea8eaa3b09b32845b3a7821d9d65cfe5a3b73ab18902d443a16322a1163b170b2207c5258

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
52KB

MD5
466e251456cb8cb1734d4b7d1d719cca

SHA1
039f53fdbf8ad61a4afbae983aca85f93f34cfe2

SHA256
b6a71d61596fab1afc8b5a33f0880ecafc4f2318349f481652ccf705b6ef90d1

SHA512
3e07f8317f9977680b68abcd6237043eda2530aed48a60a2b68dfedb68e88bd23c0e1e0735b3d0068d68595d79adc9352cc2d6b1b755190b37368491055b8f9f

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
52KB

MD5
e75db19c28b10893dc228ece6e3bab4d

SHA1
4d09ef830bea0aa9b181f27418b6a8fe400e4852

SHA256
2269162ae3dedb2bb766a3232f27ef2394669eb75a24b12a7c3901c026fcefdd

SHA512
031416811a70dd4c5e5653038cb4c973856f2e95e5a9349a2a5fd53c3a42e56da11a5e44b477da1d9f48fd566570b0fa7b7c1f25772f63dbf2d54d118fb163fa

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
52KB

MD5
05a9349e2c9ab551aafdcadf5b86c508

SHA1
24b313165d575b126d9a7650095877060a504049

SHA256
dafb5de230da43b0140c6cb2b3b9e22c425e5561d46107a249c073e042567246

SHA512
d548437684c7d96e19481818ea22d1e32c08a77693342354a64404281c1453141f575bd85abed8f336084dd8bc36e327a3ee565b498703f52d80c1036e5e1c55

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
52KB

MD5
8010f86c5cc6920eef85935acfe5e8eb

SHA1
2a8eba3ee6d4d99476d175e404ff6b6930ceef22

SHA256
7ecfb7a20f9baf21d95cd5fdaae3819080e59eeb09c689cc25cbee853f2af2c4

SHA512
60f6abb172efa2f873a2de3ec62b66591b3584feaf19dc8f6a7df7fb996ddc6551202d6177e09f74a3b568de02c967f3c9449f581a72f7bbaf5f698bf4817a3b

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
52KB

MD5
2224f6b74b97d92cca1251f079b151e0

SHA1
9b740ea90f246ebfa565094b6d7717e5f46d8ebb

SHA256
1b39276f09ae6a8cc7eea862269ada00d1d48d95cb876555e46bc51d4c32fa55

SHA512
0b9f73cc0dc03ccd90679245263728ed884069a7d47eaa01206c94f50cd5c77d4be2edf44a0332bd488d7aaa2481a04114009bc604aafea7869ef874d526e397

Download Submit
C:\Windows\SysWOW64\Hodpgjha.exe

Filesize
52KB

MD5
26ddb505fd0bffec3cc1f04df6ecd8b4

SHA1
89d725ac95486538d3b673ce8ee630dafa8e1fb4

SHA256
0ff8a42e80f640c57212ad1bd346b1942366eee2be57710ec6ce34f89e61abc8

SHA512
d2c5270e472a1ee5c5a843ae2a795bedc3609aae943c46e61ae0bb4e4c23d03b8185b3da28092572bb9bbe889d894a1374f1925f7a064c00610b3a978d395402

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
52KB

MD5
ec988da6bfb1ade772b3b395634f3365

SHA1
edbcbea2b342cf244c0c590c32a03094354d3455

SHA256
9260edc02ef5cbc4091db362d56fb532cfe825abb466a7699dc98eaab0593c2c

SHA512
00141c32a180014ed75b974de57fa605c78c7f6a532e1722e01756c5d39e49de345725f5ec98a913d52f8535c6e8ad0126e694dc1f6ae107b82c19d65ca6587f

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
52KB

MD5
b1c98e6b234167221796c425062de3f1

SHA1
7b9b8de88a814c6f55c4e86ab8e3190645a67fe8

SHA256
727a0217abc59fa7cf80c6c0595e71f9acc1413fb0cbe11f874c31ba38e292bd

SHA512
01368fdac516c26881ec884d081e16d61578e41aee7ea5ed06aeb8c7a47554057dc0de9dceb3e44f597722cb85e890f5c8c862078dbcff6f4f84cd3ed2b6bb20

Download Submit
\Windows\SysWOW64\Feeiob32.exe

Filesize
52KB

MD5
73368c027400b9356bf6e69b1b855bf6

SHA1
d8d43b8baf46d062cc6f236dbbf636ad19f7de90

SHA256
5374d494aa26c249e9752492ee338f0bed395ade9f39de570d945f39e0447970

SHA512
5a7a57b17c91f85c70168388aff6888335984de034cbc551291a5a93fcdb453990006ceaa0231527f7c09e9df888ad3de2617567522d712c4eef2872076c5faf

Download Submit
\Windows\SysWOW64\Fmjejphb.exe

Filesize
52KB

MD5
db48ff2e08287f4eee752733f6627a43

SHA1
523b06b083ff10d260fb4c718bd579e7885886d5

SHA256
e2734db0e094505b806c6f30f00d61ebbf70e026087af8222f4729288450f1c9

SHA512
8da543e553ed3cb3ecac1f7d76cf6e051dafdced69d6a75e0d1b2e82955679fbb5dfe85c93c5862236a00e9a44f04ca4bfb3f3f28e5145cebccd34c13524c87c

Download Submit
\Windows\SysWOW64\Gdamqndn.exe

Filesize
52KB

MD5
8ed7b2ceaf988900247eb23ab5e64154

SHA1
d20c77d604adfcd5d9c44b01bdaf55d593e4941a

SHA256
c01dfb8a391fa4588eb668e91ebf006d64f3f281f6d37fbd7e6aab9cbdecf577

SHA512
47ba370de3839644f3cf4de8551d4cc5f357b7a6c52f7e227e4ec0ab465a5ef70c18b8ae35c52ef1232a4fe7f5028aec96bd3fc09d026b2714643b7770c6ecb1

Download Submit
\Windows\SysWOW64\Gfefiemq.exe

Filesize
52KB

MD5
2c3d2c09be450d4e43f6fd4b46731558

SHA1
c78b9afad3a4a94d2334884669caff2a28c97754

SHA256
738b232aa63c6ba4d5867c13813c39f287879d038e75be873569fbff652e205c

SHA512
f392a56fa38acb803e40696856173011605b88c954a56340fd71867734d0aa73d6bef433e0df44bd8e84ab88eb3bb3e34edcc58449cba714165a0722a18429ed

Download Submit
\Windows\SysWOW64\Ghhofmql.exe

Filesize
52KB

MD5
a36bc7c5dcd717c6d6b932d8f2978d35

SHA1
c33e19a82473d77ae72efcb6ac29032d5cec9d03

SHA256
3096a9af2d3ffdb63f451633d45d1b1a341f614c8d72ff64fbe423cddf2ffbe5

SHA512
ea27eefaedf4aa421fd9c34f5759ae53b096740b75f4fc60910315195c8068599873bfdc4a0eda709c0df7bcd42917003739f84410cc7cf4115967dec151bde1

Download Submit
\Windows\SysWOW64\Ghkllmoi.exe

Filesize
52KB

MD5
cb92b69e4fe16198fd8a5b64702e8d1f

SHA1
055c19baeb0fd1da31cd2e39d211a259fa2a911a

SHA256
3467e4365bbd1c50b0c6c3060a2e32bf885ddea51b9eeebdd01219616999c31c

SHA512
b836c14656111329b32d294d6be35f77ee61dd559c7fbe9f26086d019cd6713d97bd681fd1cf362851dc359ac9001f6d347c9007d6c7899a889c8f3dfff6796e

Download Submit
\Windows\SysWOW64\Gicbeald.exe

Filesize
52KB

MD5
c85bf3f69cd1db029ff70b9b931a90a7

SHA1
d096443f211e8bc7db7de58a25d801e6d35252ad

SHA256
e174a9e11770e0d0ed1763796d0d5c9e636eecd84ca7cbb02e193aa7d49c5790

SHA512
98d2ff5afbca871196e237dd2115e2d8f756b6e3388519e5fd0a227a478b3aefe8d5ffc770d236b5f541ecd4fdb4e60be24c750275c7b0f57b09e5aa308ab8d7

Download Submit
\Windows\SysWOW64\Goddhg32.exe

Filesize
52KB

MD5
13a6803c3e28765bceda69cbcff0d8c5

SHA1
8f294f72c69fcdd9ef60f6f3bcfa66f58f986739

SHA256
57d105a0d41e673cfef0e5499a1d943e65660fcfaaa7be0227b16008c3d3524b

SHA512
466115f20e9bb2cfe2e5828539b92a91555a3384cdfa2e0cba1d8e6110fc8db58e086f8a77f8a98448e541ac813edfe4ca7598f64f96ba1688c8c48490c64e70

Download Submit
\Windows\SysWOW64\Gogangdc.exe

Filesize
52KB

MD5
ee78ec3a77dd6a55c6c2cc9e368ebcb7

SHA1
05c17f0e4ba9b29e8e94d50d2badbeed7cecd8b4

SHA256
51fe78b38b8a109404cb5502e8d8ff7a529e209565733df91a354f91d3e3496c

SHA512
e0cf520c5cfdb633711128f6f0b6ced23be7b36d18b8ff7a007fad42d4e5050e3683f1a7afb1d08ae42cacbd3a12e9a3d62851291cae09f590be9594e442723f

Download Submit
\Windows\SysWOW64\Gphmeo32.exe

Filesize
52KB

MD5
6996379d97b067403e119f7eeea41a1e

SHA1
5ac0cdd1d5b2b209fa7134f8c25b940d3b030a80

SHA256
1f79d4bb8de653cafdbf086109513023d830b90029b9677c656c8493d610623c

SHA512
05084c0cd74aa4590b2fe558b8b3e1b44b61e08828302304b68cd970d7b32f977a9f5b68128c71286c41e75b78d913cd037dfd76487ebf3de28ff40f16b11349

Download Submit
\Windows\SysWOW64\Hknach32.exe

Filesize
52KB

MD5
0bca359d717adc8673fddfa04c562bca

SHA1
6194e3a8df25ca38667d1f10a89c3e4df5cbd180

SHA256
cd3526d5fc0db7d22f3eaedc2679be53d3cd428208e6991b087b9e91ce0eb532

SHA512
bf4f4286b66e08848d5b5bcfe34f1e6cc12daac774c54e364e25e38319d20c2e80854eaf22e712f91d6fb5589bd637acd92511e7a6ae4da27d96f83e0e4232b5

Download Submit
\Windows\SysWOW64\Hkpnhgge.exe

Filesize
52KB

MD5
dc46bb0aeb2d70dfd88e65a44b6f8e7e

SHA1
cbc9090b47d4fc6833ad38f13a2425497b1d485e

SHA256
1a85b51bf0cf9638efb36befe69993d27b6d6c824dacce3360064b0c67f1d58a

SHA512
9626d2cd5a2442f262fc38756da54ff60d951269bf53d4635514aa0ff753eb90922ab23b5d49f1ce3d56c361d7aacb1a912d4c742a60b5a508fa44766473b3d6

Download Submit
\Windows\SysWOW64\Hlakpp32.exe

Filesize
52KB

MD5
6e4224bf43520500e662dd4705c7150d

SHA1
8c32cb5d9702492f9be1fb5525095d6acca278b0

SHA256
49324dde2f40c757daeee94342b71d710cf8b03689eebafbbe961e460481a81a

SHA512
69e35a151b5123d388bba01a27bc5eb21fa6dfe3da2e4c06e4aa7a07d6767be8343c2306e6bbc6b6a8a66f26358d20cc2cfd034901b653486f00cdff5f9722f2

Download Submit
\Windows\SysWOW64\Hpkjko32.exe

Filesize
52KB

MD5
8fd59424d2005653075580aa54d8f14f

SHA1
c598e3c94bb1c540f31602bc416342962b1ae89c

SHA256
ae98d34526daf3cc8e02f2cb087497a74bf6f421bb518e7feacb6094096f8fa7

SHA512
64820e4663ba40e005b46618b5682199a679fb000bcff2e6a1226eb7e160a68784d2099b163047937705397e6c8adefe8dfbd0a22cffcdaa1668475660325737

Download Submit
memory/572-310-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/572-309-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/584-341-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/584-236-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/584-234-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/604-285-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/604-286-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/604-276-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/604-346-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/988-172-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/988-336-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/988-179-0x0000000000290000-0x00000000002C1000-memory.dmp

Filesize
196KB

Download
memory/1132-253-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1392-195-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/1392-337-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1540-345-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1540-267-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1576-352-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1576-321-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/1576-320-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/1576-311-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1704-342-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1704-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1720-340-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1748-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1768-298-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1768-308-0x0000000001F60000-0x0000000001F91000-memory.dmp

Filesize
196KB

Download
memory/1768-348-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1768-304-0x0000000001F60000-0x0000000001F91000-memory.dmp

Filesize
196KB

Download
memory/1824-338-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-334-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1964-145-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-6-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2056-323-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2056-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2100-344-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2100-258-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-297-0x0000000000300000-0x0000000000331000-memory.dmp

Filesize
196KB

Download
memory/2104-296-0x0000000000300000-0x0000000000331000-memory.dmp

Filesize
196KB

Download
memory/2104-347-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2104-287-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2260-26-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2260-325-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2484-64-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2516-333-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2516-132-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2520-80-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2520-329-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2572-57-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2572-326-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2572-39-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2620-78-0x0000000000280000-0x00000000002B1000-memory.dmp

Filesize
196KB

Download
memory/2620-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2620-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-324-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2632-25-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2852-335-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2852-166-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/2852-158-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2900-331-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2900-106-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-339-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2940-211-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3004-332-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3004-119-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-93-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3068-330-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads