ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
29/05/2024, 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Size

582KB
MD5

0606bfad8855890f1215163b46bfb653
SHA1

1da88feb45a8f2ac159a0f7406e37ecf18297312
SHA256

ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a
SHA512

73b70a3fcfdd0ea89a51f834ed41fd6580a5052e6801a0da88bc1de6c876b39795f13fa106b770da2b1f8ae285e30b41df0e1060fb63cd043961d2543b8d9de2
SSDEEP

12288:ASHM+mvYNrekcPYNrq6+gmCAYNrekcPYNrB:ASHM+mvakaF+gqakad

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Efncicpm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddcdkl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmlapp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glfhll32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdamqndn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccdlbf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnpnndgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgmglh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eqonkmdh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiomkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkkemh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coklgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coklgg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgmglh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efncicpm.exe

Executes dropped EXE 25 IoCs

pid	Process
2596	Ccdlbf32.exe
2128	Coklgg32.exe
2720	Cdlnkmha.exe
3068	Dgmglh32.exe
2232	Ddcdkl32.exe
2536	Dfgmhd32.exe
2336	Eqonkmdh.exe
2840	Efncicpm.exe
756	Enihne32.exe
1996	Eiomkn32.exe
284	Fnpnndgp.exe
2104	Fcmgfkeg.exe
2036	Fmlapp32.exe
2292	Gegfdb32.exe
2268	Glfhll32.exe
1468	Gdamqndn.exe
2088	Gkkemh32.exe
732	Gphmeo32.exe
1292	Hggomh32.exe
2020	Hlcgeo32.exe
1628	Hjhhocjj.exe
684	Hacmcfge.exe
872	Hogmmjfo.exe
828	Idceea32.exe
3020	Iagfoe32.exe

Loads dropped DLL 54 IoCs

pid	Process
2420	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
2420	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
2596	Ccdlbf32.exe
2596	Ccdlbf32.exe
2128	Coklgg32.exe
2128	Coklgg32.exe
2720	Cdlnkmha.exe
2720	Cdlnkmha.exe
3068	Dgmglh32.exe
3068	Dgmglh32.exe
2232	Ddcdkl32.exe
2232	Ddcdkl32.exe
2536	Dfgmhd32.exe
2536	Dfgmhd32.exe
2336	Eqonkmdh.exe
2336	Eqonkmdh.exe
2840	Efncicpm.exe
2840	Efncicpm.exe
756	Enihne32.exe
756	Enihne32.exe
1996	Eiomkn32.exe
1996	Eiomkn32.exe
284	Fnpnndgp.exe
284	Fnpnndgp.exe
2104	Fcmgfkeg.exe
2104	Fcmgfkeg.exe
2036	Fmlapp32.exe
2036	Fmlapp32.exe
2292	Gegfdb32.exe
2292	Gegfdb32.exe
2268	Glfhll32.exe
2268	Glfhll32.exe
1468	Gdamqndn.exe
1468	Gdamqndn.exe
2088	Gkkemh32.exe
2088	Gkkemh32.exe
732	Gphmeo32.exe
732	Gphmeo32.exe
1292	Hggomh32.exe
1292	Hggomh32.exe
2020	Hlcgeo32.exe
2020	Hlcgeo32.exe
1628	Hjhhocjj.exe
1628	Hjhhocjj.exe
684	Hacmcfge.exe
684	Hacmcfge.exe
872	Hogmmjfo.exe
872	Hogmmjfo.exe
828	Idceea32.exe
828	Idceea32.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe
2952	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cdlnkmha.exe	Coklgg32.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Fmlapp32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Mcbndm32.dll	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Ddcdkl32.exe	Dgmglh32.exe
File created	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Coklgg32.exe	Ccdlbf32.exe
File created	C:\Windows\SysWOW64\Iecimppi.dll	Efncicpm.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	Fnpnndgp.exe
File created	C:\Windows\SysWOW64\Glfhll32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Gdamqndn.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Coklgg32.exe	Ccdlbf32.exe
File created	C:\Windows\SysWOW64\Anapbp32.dll	Dgmglh32.exe
File opened for modification	C:\Windows\SysWOW64\Eiomkn32.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Jmloladn.dll	Eiomkn32.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Eqonkmdh.exe	Dfgmhd32.exe
File opened for modification	C:\Windows\SysWOW64\Fmlapp32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Bcqgok32.dll	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Ooghhh32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Kcaipkch.dll	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Gphmeo32.exe	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Dgmglh32.exe	Cdlnkmha.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fnpnndgp.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Gphmeo32.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Dfgmhd32.exe	Ddcdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Gdamqndn.exe	Glfhll32.exe
File created	C:\Windows\SysWOW64\Nlbodgap.dll	Coklgg32.exe
File created	C:\Windows\SysWOW64\Gfedefbi.dll	Ddcdkl32.exe
File created	C:\Windows\SysWOW64\Jondlhmp.dll	Glfhll32.exe
File opened for modification	C:\Windows\SysWOW64\Gkkemh32.exe	Gdamqndn.exe
File opened for modification	C:\Windows\SysWOW64\Cdlnkmha.exe	Coklgg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcdkl32.exe	Dgmglh32.exe
File created	C:\Windows\SysWOW64\Efncicpm.exe	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Efncicpm.exe
File created	C:\Windows\SysWOW64\Eiomkn32.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Fmlapp32.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Jmmjdk32.dll	Gkkemh32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Kddjlc32.dll	Ccdlbf32.exe
File created	C:\Windows\SysWOW64\Fnpnndgp.exe	Eiomkn32.exe
File opened for modification	C:\Windows\SysWOW64\Fnpnndgp.exe	Eiomkn32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fnpnndgp.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Fmlapp32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Idceea32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Ccdlbf32.exe	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
File opened for modification	C:\Windows\SysWOW64\Dfgmhd32.exe	Ddcdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Efncicpm.exe	Eqonkmdh.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Lkojpojq.dll	Eqonkmdh.exe
File created	C:\Windows\SysWOW64\Lanfmb32.dll	Enihne32.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Fmlapp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2952	3020	WerFault.exe	52

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ccdlbf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coklgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfgmhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmloladn.dll"	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fmlapp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooghhh32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmjdk32.dll"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbodgap.dll"	Coklgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfeoofge.dll"	Dfgmhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Glfhll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gphmeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Efncicpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiomkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fnpnndgp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccdlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coklgg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbndm32.dll"	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcaipkch.dll"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkkemh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jondlhmp.dll"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Gphmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeonk32.dll"	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lanfmb32.dll"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eiomkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfedefbi.dll"	Ddcdkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdlnkmha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll"	Dgmglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eqonkmdh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Glfhll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kddjlc32.dll"	Ccdlbf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	Fnpnndgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdamqndn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdlnkmha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgmglh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddcdkl32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2596	2420	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe	28
PID 2420 wrote to memory of 2596	2420	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe	28
PID 2420 wrote to memory of 2596	2420	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe	28
PID 2420 wrote to memory of 2596	2420	ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe	28
PID 2596 wrote to memory of 2128	2596	Ccdlbf32.exe	29
PID 2596 wrote to memory of 2128	2596	Ccdlbf32.exe	29
PID 2596 wrote to memory of 2128	2596	Ccdlbf32.exe	29
PID 2596 wrote to memory of 2128	2596	Ccdlbf32.exe	29
PID 2128 wrote to memory of 2720	2128	Coklgg32.exe	30
PID 2128 wrote to memory of 2720	2128	Coklgg32.exe	30
PID 2128 wrote to memory of 2720	2128	Coklgg32.exe	30
PID 2128 wrote to memory of 2720	2128	Coklgg32.exe	30
PID 2720 wrote to memory of 3068	2720	Cdlnkmha.exe	31
PID 2720 wrote to memory of 3068	2720	Cdlnkmha.exe	31
PID 2720 wrote to memory of 3068	2720	Cdlnkmha.exe	31
PID 2720 wrote to memory of 3068	2720	Cdlnkmha.exe	31
PID 3068 wrote to memory of 2232	3068	Dgmglh32.exe	32
PID 3068 wrote to memory of 2232	3068	Dgmglh32.exe	32
PID 3068 wrote to memory of 2232	3068	Dgmglh32.exe	32
PID 3068 wrote to memory of 2232	3068	Dgmglh32.exe	32
PID 2232 wrote to memory of 2536	2232	Ddcdkl32.exe	33
PID 2232 wrote to memory of 2536	2232	Ddcdkl32.exe	33
PID 2232 wrote to memory of 2536	2232	Ddcdkl32.exe	33
PID 2232 wrote to memory of 2536	2232	Ddcdkl32.exe	33
PID 2536 wrote to memory of 2336	2536	Dfgmhd32.exe	34
PID 2536 wrote to memory of 2336	2536	Dfgmhd32.exe	34
PID 2536 wrote to memory of 2336	2536	Dfgmhd32.exe	34
PID 2536 wrote to memory of 2336	2536	Dfgmhd32.exe	34
PID 2336 wrote to memory of 2840	2336	Eqonkmdh.exe	35
PID 2336 wrote to memory of 2840	2336	Eqonkmdh.exe	35
PID 2336 wrote to memory of 2840	2336	Eqonkmdh.exe	35
PID 2336 wrote to memory of 2840	2336	Eqonkmdh.exe	35
PID 2840 wrote to memory of 756	2840	Efncicpm.exe	36
PID 2840 wrote to memory of 756	2840	Efncicpm.exe	36
PID 2840 wrote to memory of 756	2840	Efncicpm.exe	36
PID 2840 wrote to memory of 756	2840	Efncicpm.exe	36
PID 756 wrote to memory of 1996	756	Enihne32.exe	37
PID 756 wrote to memory of 1996	756	Enihne32.exe	37
PID 756 wrote to memory of 1996	756	Enihne32.exe	37
PID 756 wrote to memory of 1996	756	Enihne32.exe	37
PID 1996 wrote to memory of 284	1996	Eiomkn32.exe	38
PID 1996 wrote to memory of 284	1996	Eiomkn32.exe	38
PID 1996 wrote to memory of 284	1996	Eiomkn32.exe	38
PID 1996 wrote to memory of 284	1996	Eiomkn32.exe	38
PID 284 wrote to memory of 2104	284	Fnpnndgp.exe	39
PID 284 wrote to memory of 2104	284	Fnpnndgp.exe	39
PID 284 wrote to memory of 2104	284	Fnpnndgp.exe	39
PID 284 wrote to memory of 2104	284	Fnpnndgp.exe	39
PID 2104 wrote to memory of 2036	2104	Fcmgfkeg.exe	40
PID 2104 wrote to memory of 2036	2104	Fcmgfkeg.exe	40
PID 2104 wrote to memory of 2036	2104	Fcmgfkeg.exe	40
PID 2104 wrote to memory of 2036	2104	Fcmgfkeg.exe	40
PID 2036 wrote to memory of 2292	2036	Fmlapp32.exe	41
PID 2036 wrote to memory of 2292	2036	Fmlapp32.exe	41
PID 2036 wrote to memory of 2292	2036	Fmlapp32.exe	41
PID 2036 wrote to memory of 2292	2036	Fmlapp32.exe	41
PID 2292 wrote to memory of 2268	2292	Gegfdb32.exe	42
PID 2292 wrote to memory of 2268	2292	Gegfdb32.exe	42
PID 2292 wrote to memory of 2268	2292	Gegfdb32.exe	42
PID 2292 wrote to memory of 2268	2292	Gegfdb32.exe	42
PID 2268 wrote to memory of 1468	2268	Glfhll32.exe	43
PID 2268 wrote to memory of 1468	2268	Glfhll32.exe	43
PID 2268 wrote to memory of 1468	2268	Glfhll32.exe	43
PID 2268 wrote to memory of 1468	2268	Glfhll32.exe	43

C:\Users\Admin\AppData\Local\Temp\ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe
"C:\Users\Admin\AppData\Local\Temp\ed40940f2460f7bb98240c57ad17832017e1ab123db1e436b097232af036ed1a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\SysWOW64\Ccdlbf32.exe
  C:\Windows\system32\Ccdlbf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\SysWOW64\Coklgg32.exe
    C:\Windows\system32\Coklgg32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\Cdlnkmha.exe
      C:\Windows\system32\Cdlnkmha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\SysWOW64\Dgmglh32.exe
        
        C:\Windows\system32\Dgmglh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\SysWOW64\Ddcdkl32.exe
        
        C:\Windows\system32\Ddcdkl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Dfgmhd32.exe
        
        C:\Windows\system32\Dfgmhd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Eqonkmdh.exe
        
        C:\Windows\system32\Eqonkmdh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Efncicpm.exe
        
        C:\Windows\system32\Efncicpm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Eiomkn32.exe
        
        C:\Windows\system32\Eiomkn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Fnpnndgp.exe
        
        C:\Windows\system32\Fnpnndgp.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:284
        
        C:\Windows\SysWOW64\Fcmgfkeg.exe
        
        C:\Windows\system32\Fcmgfkeg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\SysWOW64\Fmlapp32.exe
        
        C:\Windows\system32\Fmlapp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Gegfdb32.exe
        
        C:\Windows\system32\Gegfdb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\Glfhll32.exe
        
        C:\Windows\system32\Glfhll32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Gdamqndn.exe
        
        C:\Windows\system32\Gdamqndn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Gkkemh32.exe
        
        C:\Windows\system32\Gkkemh32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Gphmeo32.exe
        
        C:\Windows\system32\Gphmeo32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:732
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1292
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2020
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:872
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:828
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        26⤵
        Executes dropped EXE
        
        PID:3020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:2952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Anapbp32.dll

Filesize
7KB

MD5
40c039c4572ab400650c3d44c64a9759

SHA1
00753469f10071cbf3233a4aac72b14480a12006

SHA256
eeadf5e79fd0cedd446e37c40231fed36d445d99fb8e952a4c7b9a4ec3267a95

SHA512
fa86a885ddf3f54d18051fe4b450efcd8803ff8c7fe2e81a3768182102b6d1cf98ec7a4c939646f594fd3eddc620cb4bbd65fe6d66491646ce1b81df301a7e8d

Download Submit
C:\Windows\SysWOW64\Coklgg32.exe

Filesize
582KB

MD5
a756fa1562f35a1344dc96805e9936f0

SHA1
1140158bb385a909fb812b8fae7652b53bd5505b

SHA256
8d91f84f5a6d6ab4cefb9828cb456ebf9ffdf7a121e17096d51d7189f1cd679f

SHA512
4cf35520244d7997724f454b3752469c47ee25fb38ddcd9573f40577b662bb089feec0498418b92ed8e5f719852201974063a0fd9fa857df97dd27879e4f7a26

Download Submit
C:\Windows\SysWOW64\Efncicpm.exe

Filesize
582KB

MD5
2db1a999b1e18aba1dd9729bd7c01e80

SHA1
943bed0dcc84639144577e972eda0c4b1e175b6f

SHA256
d942a4ded694c6781aed53f04c09c2d31ada58e53cf75cbf04e7dee2024bd288

SHA512
201e5e4f47ebc1f6547aea88450fd8320ba1afcde4bea5590a3e7bf61b87911a406d979dceab029a746eae65e090d30176bc39f3344569e4b8cb6e1f40ad029c

Download Submit
C:\Windows\SysWOW64\Eiomkn32.exe

Filesize
582KB

MD5
1077c34cec0504ad116bb1f4c03bea0b

SHA1
3ba42e4894df61fe8c1599961994ba41a99c0d86

SHA256
0c25d85a525a7a92ec1030e140d407a55b26ee684b2e4ab49b000f517687c4d2

SHA512
dc39bbdcb65b1e6e3b5b630a0c71e3075ef419787a15ab57286aa13c474a845bc07f54d4cec3764bad985130ef997c4e5a2ba0c5d495a7194701df27baad4840

Download Submit
C:\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
582KB

MD5
ad435d8f03e5023fdfc815943e3247bc

SHA1
5cb9ab81ffb169a6c7c68e5719edb82a5d201520

SHA256
87e789b49f0c0f2fa63105b8223a5dfaf38f6cbc1ded1af5f2a7eb603ec08873

SHA512
34cc943003d86b7dae99d243d8eb551447a6451d402a2e76f8f61db9820fdfd2f892de60a646f5cb208e83aa2ef11195664ff6037ce6bc0a89daaef729f9cb50

Download Submit
C:\Windows\SysWOW64\Fnpnndgp.exe

Filesize
582KB

MD5
77652f9152aa7518d2693a0fbd517502

SHA1
35051dd822c1f183444faa1b59840a1e266ebf82

SHA256
841cc4abc2b6f2f2001fa9607969a4829a08d8dc327bea6d50292e7272eecabf

SHA512
a35d3b121ed03e7299ede357a1bd00af2fb2667672936541594bd3a09de64851a606d607c1e33d5c43cbbbc5d90ed06024c93704216015c67949ae58cb896443

Download Submit
C:\Windows\SysWOW64\Gdamqndn.exe

Filesize
582KB

MD5
39bf1d9718a5e4d66793ed8ec9c405b9

SHA1
b53fc3ebe23d04c8bccb5b8cd2e2a6a382750364

SHA256
a584515146b98db6a1899abdb1cab0498a45e4a57f0fcdf5bd0634520696d560

SHA512
3e1cc327c01cc22ff743bb4d7335f8d4819cf352791a4977ff089280aa2e2ca51e6fae2314108102732e398faed7dc8f49063e345f6bba22c482c4da4f8de26e

Download Submit
C:\Windows\SysWOW64\Gegfdb32.exe

Filesize
582KB

MD5
74e642dcd161958bec4d11ac5da6c73c

SHA1
e74297f97c1a84d43125ecd998c6e1eea6d17b3b

SHA256
7429d0eb9301ccde2e29c54b61acd50d2747e45f6cd0f4e5e4e750359adb2444

SHA512
ddb509b64109ea979fc5ba6d0fb2ba8e776d9f92e88dbae098546dec207326f83b1d794c086916383c638354e97e8bb98202bcdd7f26474d9f2a4960a56bdd2d

Download Submit
C:\Windows\SysWOW64\Gkkemh32.exe

Filesize
582KB

MD5
1d1ec2d750985710099da00e5f31b241

SHA1
34468d5caf4c51eda78afa3cbdcd1ac6db94ef80

SHA256
ff5a0304d1cadee1f3bb0c0a96c443a91130621d72f18d20ee7b0342cf5561d8

SHA512
5eea54a3b8ab36dab796a8a1802f07084ed5ad424bae9e60a27e053290bd3b58dfbe185461b4a83aac9be4fabcdbc91bd614868cbcddfe200d8c88bc54873f8b

Download Submit
C:\Windows\SysWOW64\Gphmeo32.exe

Filesize
582KB

MD5
c30f5e40b4d8c14361ff4c02a775fad4

SHA1
d235f326500fbdbb265a7f348ef611c2958ece62

SHA256
79bbeeef7b6e24bd200e2df44a74002a517ebfadcd7bfaa7a62e137264fc2ecc

SHA512
c3adae96d2889b11c822afc5934b4a47b3d8ab6c74ab1be58d1660a1b39d290455952c2d9f4b9efdb29788a25d8868dc11b67d0cbbd930c38f1676c5e121a1b7

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
582KB

MD5
f64b0962a1f97608e4db7748021c47d8

SHA1
50fb402fa4c16bd197a488c759e34523aa91cc9a

SHA256
3955df6656341c6d6cf3c0df361f927ad83ec167c7ee60f07d5ae7322da53945

SHA512
336caeb261f60755322e71a30b6f6fd3f0783590a72c2e328e317a4791f4c67c3e2910c802c829419b2bd1af002561c025e209a1ad3e5447ed79eb490f8ae554

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
582KB

MD5
c7c08310e373518c9630f33f6611df42

SHA1
479c052a683d8dd051521ed47a4734d0f3f98edb

SHA256
7499d4a41d4283d9f4b565f0c9214ec5bde2b4d9d4a3d12a7094aa73e86eeaa3

SHA512
538291c939e825cada4d04ecaef359800d838db235ef2d38ff201d7ec20001b4931eb9f393d0fd8a544ea82acf5c5888434c5a6ce5cede371fb0f0a8acf01a4e

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
582KB

MD5
d65e33d832c9e2b95005b4a09c92fbd0

SHA1
b9aa79226fda098c22c648d887b6ea57722d4ddc

SHA256
50a982644613ae6e2c15813048c36642d8273e1192ecdc276263c3b2b64050ad

SHA512
1cfe833cf1884d3db5548d17aa0c866d4da8f6ff238acd6069745920c8fbde991560165f3cff457a9bc1b3c77cfe32adad44ee2cb3fa5fb96287262afa0e457c

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
582KB

MD5
ab7a3b5842842d4ee84ce086bf64576d

SHA1
9084e3a3ff7cfa35b6b558c190c9af419e85b55d

SHA256
7a8c84df00efe6c5fd08c8d0f620c40c5441627dc6d775821e79e7ab61a81c38

SHA512
1a556b45f5224579bf56022da1b5421572b3bd1c8f1f4c794d74f082eb86b5e5fbeede4ad5361cc22b7bb670856676f27c1db1ac09e4fb3829b615d2d7ec42ad

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
582KB

MD5
2f2adb72c333207dd097a345cd4a3860

SHA1
b773f8695e760e73a48dbfb0441316d795897aed

SHA256
068d29df00f093d4d6dcd7858557cbfbe74bdfb4c49c7554379d67b4e901b4a0

SHA512
afa9ac3e8f1f0420a270888747b753140c019a32b06712daa47b7ef87bb797d10edc0cf5332a7541022cc126e40eb2e8ba466360f5c8f23cf34c79632ca9064b

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
582KB

MD5
addc0b5b1caa6fef8dc35deb531e9c6e

SHA1
1881985f5ff4cc3f535181fef7a8667f56d541b0

SHA256
c1df3f8acd1458f6be78a24f81f834b425a3c8875ac2d2cdf92dc750bd7b1e55

SHA512
f32204a79431720e8960603f1d568d5716a7df860e9399aa8706898e733adbeb392c0ec81e8db9c9af1598b60d7887134f8c46437823b186f64fd0cbfcf7609c

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
582KB

MD5
00d15eac85405781491e171eb678437c

SHA1
87839ba7bbc47dc13d9900608866cd805f278f35

SHA256
40c175da514ffbdaf8f7ddfc7420c9cc3af5869895a2851db1a7a0037894f28e

SHA512
9cee7dcf2641e2581df791f5a9cad919e3523f6f8559958a8f658020b1b0eed8974709d80c4ce688d2fe5022285eadd5fada746f4ff3c177a83ac2c0cbf1f92c

Download Submit
\Windows\SysWOW64\Ccdlbf32.exe

Filesize
582KB

MD5
6f3c766d032f29252f233c12e6ce5b4a

SHA1
812c8a8e3232bfa0ff6d3bc3c1d4f0a2073d5f0a

SHA256
06adb669f8b54482997397a9591d6b853d31d0e87f65b3c6a029797c11bc8b8e

SHA512
ea8618039647897a0a18e756d7770cc79c8a16a7d23a043b87bfe49dee073062b6af16798de112873dda9b6ad4f8774faca30d6e934984134f0f9897f7123d67

Download Submit
\Windows\SysWOW64\Cdlnkmha.exe

Filesize
582KB

MD5
c71e5561e400109c89df083763d1bb45

SHA1
4942870589d00b6081022feb2751feeaed874214

SHA256
fb0babc972af2f81c6481d3b2d5cc2ec4924eee46fb47e6db42de1cb941c9404

SHA512
15e3ae8a6f1a6bffe85f72b5fca7cfb02bf5bf5eab07125bfb26d5714f391d695f2a355a38e3f620b5b7abf2d51469493a85289333ea5c6723a00c3f7e902b1d

Download Submit
\Windows\SysWOW64\Ddcdkl32.exe

Filesize
582KB

MD5
75efbeb85fecdffd9aa4be63f78d01f8

SHA1
34a6eafbaa2e9b3428c5852de2591ee93cfb3fcf

SHA256
e3c9e3a7943bb28856602fee44f5ff005b926c226f817a209472754064a3c262

SHA512
758705a4a0119499115f698167949ac72ce48c22b0bf09a2d88714a3881cf232d3e83a4e1b4ded792ac826c2b4923015973dd3f0c39d9b165b5d8c4d2a2ef60f

Download Submit
\Windows\SysWOW64\Dfgmhd32.exe

Filesize
582KB

MD5
db326df5739918be6d37a162fbe69a5c

SHA1
dcc2b8080a1ce6a97dcb11f718df09ab0945c930

SHA256
c41009856ddcc891e14538460e77740ead8dfc22ade168d308fa5e033aed39b9

SHA512
f12f669b3dbcd29d321198b9966c822437645d8e710a8c202ad447274da01e88b2e198172d4e0a2c5eaa713c38e4f1ff9f16fecae48ddc14a1d59dd1020a2d4a

Download Submit
\Windows\SysWOW64\Dgmglh32.exe

Filesize
582KB

MD5
93136a83f47beaea42b5b3214a0bff43

SHA1
0b7306226b564a02082812823a4d9b1698ec2e50

SHA256
2a84c7eb34b79cadcc3d030b09fc181986ad865c5c6b1773d19432dccb9ad615

SHA512
4f8a020f6a095164faa623fa1e925602c683490b1fbd98802d63ab63e55c6321fd907357476ea3af9d13a19701685a4cb3bf2609e3706345bc1b435442d9fc56

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
582KB

MD5
1020cdae7fc467d2d704e87a3d2c15f2

SHA1
35eea7cac409388a4ca2ffcd9e1bca4a5bb2ca6d

SHA256
6c96f28917b56b27dc36ee8206052997aabe715208bb431d484ceeef54b8c657

SHA512
38e1da08ad57534b549dc8bb91b72cad7387808dd1505b62805a027a1cef50cfd774a551188c101a7dc9ac28eeba5fa6b6ae371c9193ddea39a6f9811a43c5bf

Download Submit
\Windows\SysWOW64\Eqonkmdh.exe

Filesize
582KB

MD5
8b12fa9ce8147e4576ab6c271056ac07

SHA1
2031c0b191f4bdd2a501f0846484820ae1ea54ab

SHA256
9835f9ba5b770648637a536466df33d252ef7aeade71edb53ea22f5104342a8f

SHA512
303e7b8d09eb701610a7f0778511026d39f0c847544b0a827d52a3365ca743fb547dc8aa19d3a7cae3007807af70a291a3b40a92132aa87424ac49f332b82ad1

Download Submit
\Windows\SysWOW64\Fmlapp32.exe

Filesize
582KB

MD5
90adb550ee03b83634d8dda3ffee1333

SHA1
c700f3a3400c1f643b0000ce61aea8d85ca925ca

SHA256
60bd399296b0bbe8763c2769334cdc385446161d7c409968040adea51dcc86fb

SHA512
5e133b3ebf193bbd955ed8b85bff943a7bef43a8981fdafa7beaec5c0e77d97c46579cd55e9836710a0cf12cffab0d20ffde59166679ba3ad1de445c4324764b

Download Submit
\Windows\SysWOW64\Glfhll32.exe

Filesize
582KB

MD5
0efe10dbffe10c2fb45fc823d553849a

SHA1
73242d7e3e3de419568596316cbe0f1027dc60d8

SHA256
70278ca25675ea199af554eea369674b39daaa0aa2d3c16b8444df2a4768dcb9

SHA512
2d4e2527b1fae440a7f7508f894f51b9f4f7ac28b3a94f859ce8df1c7e28e9a2b85a3bd645eb9586c86655b9864fe3a365f908be095af9247d6c8c0daada64b5

Download Submit
memory/284-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/284-163-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/284-164-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/284-156-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-296-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/684-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/684-289-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/684-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-253-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/732-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/732-244-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/756-136-0x0000000000310000-0x0000000000344000-memory.dmp

Filesize
208KB

Download
memory/756-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-315-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/828-314-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/828-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-303-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/872-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/872-304-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1292-254-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1292-263-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1292-336-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1468-230-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1468-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-282-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1628-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-273-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-154-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1996-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-185-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2036-193-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2088-237-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2088-243-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2104-174-0x0000000000260000-0x0000000000294000-memory.dmp

Filesize
208KB

Download
memory/2104-166-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2128-36-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2128-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2232-81-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2232-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-222-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/2268-209-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-194-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2292-208-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2292-207-0x00000000002A0000-0x00000000002D4000-memory.dmp

Filesize
208KB

Download
memory/2336-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2336-108-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2420-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2420-6-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2420-317-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2536-89-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2596-26-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2596-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2596-25-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2720-53-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2720-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2840-127-0x00000000003A0000-0x00000000003D4000-memory.dmp

Filesize
208KB

Download
memory/2840-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-62-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/3068-55-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads