da140f013acb3722310c7f24bca768b0855bab61aadf86924cf799a00e539797

Analysis

max time kernel
143s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
02/06/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Size

512KB
MD5

f118a0a63eb69d756d42825fe21f8230
SHA1

7a98c40542772838af493b555a46025bbf92f31e
SHA256

da140f013acb3722310c7f24bca768b0855bab61aadf86924cf799a00e539797
SHA512

77821da092a923e5abe274dd6be5730a77e29452aff75e584d90752c81c73b2e94b6642b676598588bc5395f336f26d8886acc00e5aa22a2b5492e5bb91e78a0
SSDEEP

6144:91AzzKmrdQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:b+6r/Ng1/Nblt01PBExK

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emhlfmgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddcdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Elmigj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flmefm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fckjalhj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebinic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe

Executes dropped EXE 28 IoCs

pid	Process
1756	Dhmcfkme.exe
2156	Ddcdkl32.exe
2820	Dgaqgh32.exe
2932	Eihfjo32.exe
2652	Ekholjqg.exe
2564	Emhlfmgj.exe
3064	Elmigj32.exe
2904	Ebinic32.exe
2584	Fckjalhj.exe
1708	Fhkpmjln.exe
2248	Filldb32.exe
2700	Flmefm32.exe
1632	Fbgmbg32.exe
1912	Gaqcoc32.exe
2268	Goddhg32.exe
1360	Hknach32.exe
1856	Hmlnoc32.exe
2468	Hnojdcfi.exe
1792	Hdhbam32.exe
1332	Hggomh32.exe
948	Hiekid32.exe
1668	Hgilchkf.exe
852	Hhjhkq32.exe
2972	Hacmcfge.exe
832	Henidd32.exe
1508	Icbimi32.exe
2996	Iaeiieeb.exe
2064	Iagfoe32.exe

Loads dropped DLL 60 IoCs

pid	Process
2992	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
2992	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
1756	Dhmcfkme.exe
1756	Dhmcfkme.exe
2156	Ddcdkl32.exe
2156	Ddcdkl32.exe
2820	Dgaqgh32.exe
2820	Dgaqgh32.exe
2932	Eihfjo32.exe
2932	Eihfjo32.exe
2652	Ekholjqg.exe
2652	Ekholjqg.exe
2564	Emhlfmgj.exe
2564	Emhlfmgj.exe
3064	Elmigj32.exe
3064	Elmigj32.exe
2904	Ebinic32.exe
2904	Ebinic32.exe
2584	Fckjalhj.exe
2584	Fckjalhj.exe
1708	Fhkpmjln.exe
1708	Fhkpmjln.exe
2248	Filldb32.exe
2248	Filldb32.exe
2700	Flmefm32.exe
2700	Flmefm32.exe
1632	Fbgmbg32.exe
1632	Fbgmbg32.exe
1912	Gaqcoc32.exe
1912	Gaqcoc32.exe
2268	Goddhg32.exe
2268	Goddhg32.exe
1360	Hknach32.exe
1360	Hknach32.exe
1856	Hmlnoc32.exe
1856	Hmlnoc32.exe
2468	Hnojdcfi.exe
2468	Hnojdcfi.exe
1792	Hdhbam32.exe
1792	Hdhbam32.exe
1332	Hggomh32.exe
1332	Hggomh32.exe
948	Hiekid32.exe
948	Hiekid32.exe
1668	Hgilchkf.exe
1668	Hgilchkf.exe
852	Hhjhkq32.exe
852	Hhjhkq32.exe
2972	Hacmcfge.exe
2972	Hacmcfge.exe
832	Henidd32.exe
832	Henidd32.exe
1508	Icbimi32.exe
1508	Icbimi32.exe
2996	Iaeiieeb.exe
2996	Iaeiieeb.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Polebcgg.dll	Hacmcfge.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Henidd32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Ddgkcd32.dll	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
File opened for modification	C:\Windows\SysWOW64\Ebinic32.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hgilchkf.exe
File created	C:\Windows\SysWOW64\Hacmcfge.exe	Hhjhkq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmcfkme.exe	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
File opened for modification	C:\Windows\SysWOW64\Ekholjqg.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hgilchkf.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Hnojdcfi.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hiekid32.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcdkl32.exe	Dhmcfkme.exe
File opened for modification	C:\Windows\SysWOW64\Elmigj32.exe	Emhlfmgj.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Fckjalhj.exe
File created	C:\Windows\SysWOW64\Jnmgmhmc.dll	Filldb32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hgilchkf.exe	Hiekid32.exe
File opened for modification	C:\Windows\SysWOW64\Hacmcfge.exe	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Dgaqgh32.exe	Ddcdkl32.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Odpegjpg.dll	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Emhlfmgj.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Fbgmbg32.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Goddhg32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Alogkm32.dll	Hhjhkq32.exe
File created	C:\Windows\SysWOW64\Icbimi32.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Ddcdkl32.exe	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Ekholjqg.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Flmefm32.exe	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Hnojdcfi.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Icbimi32.exe
File created	C:\Windows\SysWOW64\Elmigj32.exe	Emhlfmgj.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hnojdcfi.exe
File opened for modification	C:\Windows\SysWOW64\Henidd32.exe	Hacmcfge.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hgilchkf.exe
File opened for modification	C:\Windows\SysWOW64\Eihfjo32.exe	Dgaqgh32.exe
File created	C:\Windows\SysWOW64\Fclomp32.dll	Dgaqgh32.exe
File opened for modification	C:\Windows\SysWOW64\Flmefm32.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Ogjbla32.dll	Emhlfmgj.exe
File opened for modification	C:\Windows\SysWOW64\Fbgmbg32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Gknfklng.dll	Hggomh32.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Henidd32.exe
File created	C:\Windows\SysWOW64\Anapbp32.dll	Dhmcfkme.exe
File created	C:\Windows\SysWOW64\Kgcampld.dll	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Ebinic32.exe	Elmigj32.exe
File created	C:\Windows\SysWOW64\Fbgmbg32.exe	Flmefm32.exe
File created	C:\Windows\SysWOW64\Eihfjo32.exe	Dgaqgh32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hnojdcfi.exe
File created	C:\Windows\SysWOW64\Hiekid32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Fckjalhj.exe
File opened for modification	C:\Windows\SysWOW64\Filldb32.exe	Fhkpmjln.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Henidd32.exe	Hacmcfge.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	2064	WerFault.exe	55

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll"	Eihfjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hgilchkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebinic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fbgmbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddcdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgaqgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll"	Dgaqgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hnojdcfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alogkm32.dll"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Elmigj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbniiffi.dll"	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmcfkme.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgaqgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgcampld.dll"	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Elmigj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndabhn32.dll"	Hnojdcfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anapbp32.dll"	Dhmcfkme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfekgp32.dll"	Flmefm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Fbgmbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hgilchkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fckjalhj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnmgmhmc.dll"	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmhlp32.dll"	Ddcdkl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebinic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hiekid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hiekid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hacmcfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polebcgg.dll"	Hacmcfge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddcdkl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpegjpg.dll"	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogjbla32.dll"	Emhlfmgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hnojdcfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 1756	2992	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe	28
PID 2992 wrote to memory of 1756	2992	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe	28
PID 2992 wrote to memory of 1756	2992	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe	28
PID 2992 wrote to memory of 1756	2992	virussign.com_f118a0a63eb69d756d42825fe21f8230.exe	28
PID 1756 wrote to memory of 2156	1756	Dhmcfkme.exe	29
PID 1756 wrote to memory of 2156	1756	Dhmcfkme.exe	29
PID 1756 wrote to memory of 2156	1756	Dhmcfkme.exe	29
PID 1756 wrote to memory of 2156	1756	Dhmcfkme.exe	29
PID 2156 wrote to memory of 2820	2156	Ddcdkl32.exe	30
PID 2156 wrote to memory of 2820	2156	Ddcdkl32.exe	30
PID 2156 wrote to memory of 2820	2156	Ddcdkl32.exe	30
PID 2156 wrote to memory of 2820	2156	Ddcdkl32.exe	30
PID 2820 wrote to memory of 2932	2820	Dgaqgh32.exe	31
PID 2820 wrote to memory of 2932	2820	Dgaqgh32.exe	31
PID 2820 wrote to memory of 2932	2820	Dgaqgh32.exe	31
PID 2820 wrote to memory of 2932	2820	Dgaqgh32.exe	31
PID 2932 wrote to memory of 2652	2932	Eihfjo32.exe	32
PID 2932 wrote to memory of 2652	2932	Eihfjo32.exe	32
PID 2932 wrote to memory of 2652	2932	Eihfjo32.exe	32
PID 2932 wrote to memory of 2652	2932	Eihfjo32.exe	32
PID 2652 wrote to memory of 2564	2652	Ekholjqg.exe	33
PID 2652 wrote to memory of 2564	2652	Ekholjqg.exe	33
PID 2652 wrote to memory of 2564	2652	Ekholjqg.exe	33
PID 2652 wrote to memory of 2564	2652	Ekholjqg.exe	33
PID 2564 wrote to memory of 3064	2564	Emhlfmgj.exe	34
PID 2564 wrote to memory of 3064	2564	Emhlfmgj.exe	34
PID 2564 wrote to memory of 3064	2564	Emhlfmgj.exe	34
PID 2564 wrote to memory of 3064	2564	Emhlfmgj.exe	34
PID 3064 wrote to memory of 2904	3064	Elmigj32.exe	35
PID 3064 wrote to memory of 2904	3064	Elmigj32.exe	35
PID 3064 wrote to memory of 2904	3064	Elmigj32.exe	35
PID 3064 wrote to memory of 2904	3064	Elmigj32.exe	35
PID 2904 wrote to memory of 2584	2904	Ebinic32.exe	36
PID 2904 wrote to memory of 2584	2904	Ebinic32.exe	36
PID 2904 wrote to memory of 2584	2904	Ebinic32.exe	36
PID 2904 wrote to memory of 2584	2904	Ebinic32.exe	36
PID 2584 wrote to memory of 1708	2584	Fckjalhj.exe	37
PID 2584 wrote to memory of 1708	2584	Fckjalhj.exe	37
PID 2584 wrote to memory of 1708	2584	Fckjalhj.exe	37
PID 2584 wrote to memory of 1708	2584	Fckjalhj.exe	37
PID 1708 wrote to memory of 2248	1708	Fhkpmjln.exe	38
PID 1708 wrote to memory of 2248	1708	Fhkpmjln.exe	38
PID 1708 wrote to memory of 2248	1708	Fhkpmjln.exe	38
PID 1708 wrote to memory of 2248	1708	Fhkpmjln.exe	38
PID 2248 wrote to memory of 2700	2248	Filldb32.exe	39
PID 2248 wrote to memory of 2700	2248	Filldb32.exe	39
PID 2248 wrote to memory of 2700	2248	Filldb32.exe	39
PID 2248 wrote to memory of 2700	2248	Filldb32.exe	39
PID 2700 wrote to memory of 1632	2700	Flmefm32.exe	40
PID 2700 wrote to memory of 1632	2700	Flmefm32.exe	40
PID 2700 wrote to memory of 1632	2700	Flmefm32.exe	40
PID 2700 wrote to memory of 1632	2700	Flmefm32.exe	40
PID 1632 wrote to memory of 1912	1632	Fbgmbg32.exe	41
PID 1632 wrote to memory of 1912	1632	Fbgmbg32.exe	41
PID 1632 wrote to memory of 1912	1632	Fbgmbg32.exe	41
PID 1632 wrote to memory of 1912	1632	Fbgmbg32.exe	41
PID 1912 wrote to memory of 2268	1912	Gaqcoc32.exe	42
PID 1912 wrote to memory of 2268	1912	Gaqcoc32.exe	42
PID 1912 wrote to memory of 2268	1912	Gaqcoc32.exe	42
PID 1912 wrote to memory of 2268	1912	Gaqcoc32.exe	42
PID 2268 wrote to memory of 1360	2268	Goddhg32.exe	43
PID 2268 wrote to memory of 1360	2268	Goddhg32.exe	43
PID 2268 wrote to memory of 1360	2268	Goddhg32.exe	43
PID 2268 wrote to memory of 1360	2268	Goddhg32.exe	43

C:\Users\Admin\AppData\Local\Temp\virussign.com_f118a0a63eb69d756d42825fe21f8230.exe
"C:\Users\Admin\AppData\Local\Temp\virussign.com_f118a0a63eb69d756d42825fe21f8230.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Dhmcfkme.exe
  C:\Windows\system32\Dhmcfkme.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\Ddcdkl32.exe
    C:\Windows\system32\Ddcdkl32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Windows\SysWOW64\Dgaqgh32.exe
      C:\Windows\system32\Dgaqgh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\SysWOW64\Eihfjo32.exe
        
        C:\Windows\system32\Eihfjo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Emhlfmgj.exe
        
        C:\Windows\system32\Emhlfmgj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\SysWOW64\Elmigj32.exe
        
        C:\Windows\system32\Elmigj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Ebinic32.exe
        
        C:\Windows\system32\Ebinic32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Fckjalhj.exe
        
        C:\Windows\system32\Fckjalhj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Fhkpmjln.exe
        
        C:\Windows\system32\Fhkpmjln.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Filldb32.exe
        
        C:\Windows\system32\Filldb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\SysWOW64\Flmefm32.exe
        
        C:\Windows\system32\Flmefm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\Fbgmbg32.exe
        
        C:\Windows\system32\Fbgmbg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Hmlnoc32.exe
        
        C:\Windows\system32\Hmlnoc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Hnojdcfi.exe
        
        C:\Windows\system32\Hnojdcfi.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Hiekid32.exe
        
        C:\Windows\system32\Hiekid32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\Hgilchkf.exe
        
        C:\Windows\system32\Hgilchkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Hacmcfge.exe
        
        C:\Windows\system32\Hacmcfge.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2996
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        29⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2064 -s 140
        30⤵
        Loads dropped DLL
        Program crash
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ddcdkl32.exe

Filesize
512KB

MD5
36d35c04ca0f499738236a879ed5597c

SHA1
2b03ae1f791c367a6e92bee533ddd9c371b166f2

SHA256
28dcf87a26479c65725044e29fac5400afa0a8fb95c06ec1be2c25d6433ef1ac

SHA512
9b8836ad2c54183bcde96bfab968990e3e4b01661aca095753a71f1fad910446fe086cedb088294df6a2f155649395ecfa2ad6dd1aa4d45d2c9c731d20292e49

Download Submit
C:\Windows\SysWOW64\Dgaqgh32.exe

Filesize
512KB

MD5
790b5fa1bb528937a23704c8f995331f

SHA1
e43c8e032cb2454d1c2caafaf83dcaef0950e9e6

SHA256
c7db6c500139a0e29fd6f515b4fe90c42707bf93f80debd1e6da8c5721e18e3e

SHA512
7c0538afbf09225057e9c57e5e8044937d7f4b23a39058f9db72ac8337d8caa554fbc51ce0a181f7604658153bfaf0033d1d80d4376f1779d6cc6c748bc2218d

Download Submit
C:\Windows\SysWOW64\Eihfjo32.exe

Filesize
512KB

MD5
c50a17ea8e3ba299208cae54e9c34140

SHA1
c15e05bb97a018d261809ec3cc17120367f640fe

SHA256
0d75db3cf25d5ef50a6e99ff76a766b4689c5b8e70e39ee60ef92992f88eb4f3

SHA512
e67fb9382900a87003cb318e16dd15cea90ddf362db3eeef6e8947dc104431b38017b8e0b85fa572adde08851776758bdb7ccc950348a62f68d607d4ddac79be

Download Submit
C:\Windows\SysWOW64\Fckjalhj.exe

Filesize
512KB

MD5
97e8340fc20d85fd293f28391efab4db

SHA1
c52d8bb5e550a235de19781c7381ce30a8efb81e

SHA256
6451bf213288397c0a52dcad72ae0519c3622322cdd30ade871fde11defaecf9

SHA512
b4921c38b801dec771e4adff7d0bd4c6be56fe17d7924276229f638b491ecfb4b48077901f5b26d5b1029dbcbf346ad814f0c543301b86cf5bf6470f32f4dad5

Download Submit
C:\Windows\SysWOW64\Filldb32.exe

Filesize
512KB

MD5
1353c59f6b4d6988221f60f565ed1472

SHA1
dfea03dcdf6f72a7eba9a79e61a92885cc5ed80c

SHA256
a3af86861406ca7c7a86d603ab530957b690961a45eb542f8f2fccc623d3505b

SHA512
7a9c3489fed4235b5e5b36bb992449b09f2eb62a6e1e45d0add9d018a2f91ffe41277de1943739ea63c681f9ebd6406f56e60eed928e3897dc6109d20abd5413

Download Submit
C:\Windows\SysWOW64\Flmefm32.exe

Filesize
512KB

MD5
10120929b7272fb202a21db2daa9ab19

SHA1
a926f47b66fdf2581d7effcfe8eff6efa003bd3b

SHA256
93832ec4abb4c0fe595a115b58c80145fff025817d046e7bf7283dc7b18bce3f

SHA512
63806d0bf2e8363c8aafaf618f0c1d2ada374fcd7ac532c9b528bb324c3e3fa14598cd1b2ae7560a24ed9f9d40a220c6eeb842509e31499911022d6b70552471

Download Submit
C:\Windows\SysWOW64\Goddhg32.exe

Filesize
512KB

MD5
df3265ff3430066626261e969d2524ef

SHA1
62b546dacf2eee45200ef0cf21e8addd466c2b99

SHA256
5db62b4f9dd68c8eabefbd97605b9b6bac16dcad8fe66d0c3e3bfaae69e1785a

SHA512
2181145bf367ac029d7e282715ff0c999303a2fc355019fe36f96b9fa2dfb681fabbfb1fb666a249cbc8865a77ba18432b7c7b93c0d8c4614500321af365983a

Download Submit
C:\Windows\SysWOW64\Hacmcfge.exe

Filesize
512KB

MD5
29491686d7b2c3dca7a92e49ef6116c0

SHA1
2d708e4f6f1e997391bf0cfc5af0b9c9ca2bd6cb

SHA256
34679139eb0e62d948e44c21481c6fbb89459a1a5ab233881fa4a6c934d363c3

SHA512
7761a8ea258003f017ba6ce4b04cb1c3f4c905e5abbe18637386162f0bca0303838a3d19a17469501be1bc939d0d35ef81e1915f10391bbcc43d8fc4ef017f54

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
512KB

MD5
85c00bd80eb75891d95968c08819921e

SHA1
1513f656aac302422c7f0458159296ccfe51c469

SHA256
05afc8a302f7e0d5f5ce18a8adb842da864ed1718377737da7ba1cd8b3522c8f

SHA512
0a0d97a31d477bde8c63f1ba26bce4573b8476b2e9402b6fb2f741f136a9d238eca96f916dd05d287a6c0a7d5e576466086fef1cbbee3715baf2723397f69d9b

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
512KB

MD5
fc1c823fb3f04cdb2865cc6cbdd440dc

SHA1
6c46278054ccc8028ca7acfe2a305000248fbb21

SHA256
5221a1e78d5f904fc3759d3c56d5c1ae889ec16a0087ffdb28800b654993566a

SHA512
b41837c5e1b50ca36ab8ab5901c5f4756f33f5415105270aea3959ef47b531ec60b109ed2bc5a6273fe6dcdf05d8d2d1632dca86c35294b594e8f23c06016868

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
512KB

MD5
99efe7762d2e7e144d7893f24d15dd2a

SHA1
e04627f97e427d2726207b258c4a7b1e8dc0172c

SHA256
8c25bb51acea19e1adb0428fb0999ad98cb26497317f119b8faa199a18a54f7e

SHA512
d578a67318f2b2fbabd5356379d4d3fb7c97886641047af4475749353392db426c70aa0f0078c99b353a7909f3a47f0db9cd908d7f916ce93e1ca972483e7c6f

Download Submit
C:\Windows\SysWOW64\Hgilchkf.exe

Filesize
512KB

MD5
592ed6bafca497868e6c5d24cfef68f8

SHA1
b6cd99af6a59db50152f5835e87fef52400fe3d8

SHA256
d11f8d63f0efc6f37540e520ab3612e4c325c4ebbd1331baf6aa296392308a5d

SHA512
d6a183e8641a500757e93f558fd808179c98692d9064354a41ac23af217bf8463feb4e221203814b6e2109297bf5560a318fc466d96b3c187b4ad2dc8bce64bd

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
512KB

MD5
3f2ebc6764bb456c6825cad95718ccbe

SHA1
c6a0fbfdea3822d6befcd2af12de3876ea64014b

SHA256
43b0e3008769ca1655246719678b227c3c1340d36bd7de228432ac3c914f7965

SHA512
b804ccd37b1d50e538438f30783d5654330aa9a5a1987a4d59787954c31fec69d6eb0a83412cd04b8e0dda83688a2b894d5151a77bdb7331ede00cae3e674aa0

Download Submit
C:\Windows\SysWOW64\Hiekid32.exe

Filesize
512KB

MD5
c0f3a930fa77bdb8608ef310deb733c4

SHA1
68f558f402963ccb4590c26e1767afdfd66c9f28

SHA256
0b55e6a1a1bd2454b8fb1170185c07612fce955b989309e4ab55d6441ef06f1d

SHA512
cd753dd00abe4b520ac51338af8a8bf98dcc1cb06e6008fd97b5a55e83634e9e0633a83791004fc7443300b45a46eaea071a1be8edd494a16a5bd0992468650f

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
512KB

MD5
9f0a331e7c80f980dacc3ebc49147dc7

SHA1
7e79ec11617046f71031d0bc5bd6d33430f16098

SHA256
f25da64219483e0fc3ea55896e1747844bbfda276f6559a8f31462c2b1752ad9

SHA512
e2f702a1375f510a1994b1024dd068ddb46c5f0ab62e7649f47b610f7aca1db29fe846518ac1bf0b1d4399d3be20a9f849fd27e6d381d0733954744b4ca5bc20

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
512KB

MD5
417417b536f5ccbcac328064ae7bb2d5

SHA1
aa1db121b1b9c098962f979d905be0d3f2434536

SHA256
6033d747ad09b8102835c2c11659f32e7a2ac78eb45de07d6304d41d06f9641f

SHA512
359c76276830b464979edb424c8cd23b8a7d42e9261cb11122df30f5571f494b047f461a8b44bd3d72e21ffc733b9dd65d7f60a942882a3ac023d161500acbc0

Download Submit
C:\Windows\SysWOW64\Hnojdcfi.exe

Filesize
512KB

MD5
b333387681702698e5e89df4e5090bde

SHA1
2b5e745f3cdd7148813d8da95b1a0740fa7f468a

SHA256
b5ee7eb492a2b645decc16b01cf22a29046a0b8c6e00dd0273910eeeb959f174

SHA512
58f97dd4fa8c706aaa56baefa937ba955844b6395cccca2f9e9476df1dfd2986968a6c9956afc9eda088fe0985d3314c0458473dbe3b48a55fff0f8414a4af1f

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
512KB

MD5
841383871d093d010458734141041c31

SHA1
55430abee60fd59fff10ae019949bde6e9657198

SHA256
8e037ed11c0928b5d7b6e77d6b709e628fbf1f649d9aecb4c833f60c518e8b0b

SHA512
83f7e0b45ea9e26b74d24bae6193a5b44bcdbac3597432687e20933abfffa3742127ec4c0bdd293df7427faa9a5ece9020cf4e4dba24e43cc9ff9bec16494402

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
512KB

MD5
68adc81d2bfcdfdea33a045335fc99d6

SHA1
068d63da902af3b01788c71e4e8dcdd30a1a3ced

SHA256
99b0bcbab82691120f96bb996dc9f7ed0f657b0f15167d978ad1227f21610aa0

SHA512
b8ac013fa1c6bfb1593bb2d0366c6bae062ef40bf61b0c76d3ece00adcf77923f341aedc7ffc59a76d206626da69236a4815c75de51db0cbf5a4af118e755e4d

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
512KB

MD5
aff4f82e2420b24f84b9cf4c1b8193d4

SHA1
4c1cb162f09cf25b56d95b28641e9ec3fb643620

SHA256
d5d7e43eb0b832d98f14385eecc9d32bd2f0a7c892b5615fb70d308ebbd0843b

SHA512
b1384524f1f5bc57f501c487b277bd8356ba2304255d8ebd269e17385b9a2f656eed50abdd936141cf0e62273df9dff86cb04c3789d6f89b5fc020ce8dd98266

Download Submit
\Windows\SysWOW64\Dhmcfkme.exe

Filesize
512KB

MD5
350939bc0159cc0c3f4a29d0af72b460

SHA1
fee7a325abaf8cec2660e2d702322114ae6357c1

SHA256
c96370341486b9ca798a0a58f33a3a1f3c2d79516197cc7efe083ce5f3c70aa1

SHA512
40b52a323844ca6fb1782882bd2313061c3f2b8e59b5d2061bc8b35c8caa0dfcedbcd01bff5d7d678058a72e922d795a1edfdf89de36f3f238bf3f0b0fb089ce

Download Submit
\Windows\SysWOW64\Ebinic32.exe

Filesize
512KB

MD5
849e1773c0d0e1e88a83629e00c66444

SHA1
676bae0404c13015c610609573427c308904e180

SHA256
626a05d40402d6e7c303d6db69350522c91e965a3ddcf451f57cd5a58150e6ee

SHA512
4fff9a484c4a0f90bf6a7a1550df0a20de2f99f103788d8c68034d67e2860ad85dce7a87ad600104a338c927845afe9a71fe070112610f8b7444a020332645ec

Download Submit
\Windows\SysWOW64\Ekholjqg.exe

Filesize
512KB

MD5
2d01e539b87baaa1c47078928e7819aa

SHA1
e3e48f0896c238e0df88abc8f868e64330d8caef

SHA256
4ff18ba9f8500e00ef0cfec0ab20f60c5433803a95147b5840bf4f8d817d6216

SHA512
085682de4aca0288ddfac88973f05c3695f90e24875403613600ef6f1ff526b9f9fee45d70e911e95a23a5b7c284ea079ceee47e08d14c9b868e218d9067ff21

Download Submit
\Windows\SysWOW64\Elmigj32.exe

Filesize
512KB

MD5
0f819faa6f803851386662edce065b3d

SHA1
57ac48d1c6d497bc727b4cdccd222b65373f7518

SHA256
0da59a068df72bddf51fb797549760f1953d1283eb752779a5a3064a07bb7ae6

SHA512
e1083f72e5cf45f2d48cb44176951607d5fa01fc3dcb9efe9015483e8ba75f1f2f5022bbcf77e8679328ab1ec9de16bdaf0e182670049f824ae3288c6269f8c7

Download Submit
\Windows\SysWOW64\Emhlfmgj.exe

Filesize
512KB

MD5
3c89bee183a72b5f56a03782d9b1af0a

SHA1
0c8ed2b629e83109e2dff494332aaedfcf90c2ff

SHA256
6315b24562bda4b894e82deae82759cad0a468c8cffd1c3839739dc13192824b

SHA512
0cf102e6bb3b14771af6bd01fdfa03daf4faa3cd51d48749cf37aeff17b599596f25f6b6bf28b5b4c36f2916cfb6e5f0f71e1641f0e62d8fd32737af0307c1b1

Download Submit
\Windows\SysWOW64\Fbgmbg32.exe

Filesize
512KB

MD5
fcc1b7eeeb40323cde8f82feed450f0f

SHA1
528f2958bb38e61293b209a71679c02f66568eca

SHA256
7fba8701fc201b745a004fc43a200d841601468603ab5fc399be27178fc400cc

SHA512
eaf5352dca98b58e2333d03268b4d0e13829e96cf05ac3be15a263ffcebe7582d7294e2ec66965130daf1766725d62d99b403eb449a2f1dedf49b6ec4862e05d

Download Submit
\Windows\SysWOW64\Fhkpmjln.exe

Filesize
512KB

MD5
1673a6e90aab21070ea6d276f99200be

SHA1
8ef3691be37c7ae3a29ea89a60c49d97d55686f3

SHA256
7e799f0f4478cc6301c2dc08d3dfcaa95639dbe82071be6f6eacbf208ddab998

SHA512
5732adb309cbe2a8cfab1f71582c3377c3420d702d7e7daada47074b2a8b568723ebeca68fc0ba9301b02c798129299af846033b778e5b9ccc9ba89673aa6423

Download Submit
\Windows\SysWOW64\Gaqcoc32.exe

Filesize
512KB

MD5
4afd9d9408b5bbf05ec8a6a8f7d5fca1

SHA1
264366f5939acf44719962b259c1e5f949b0323a

SHA256
cee32432f56e3b1dc81d48c674a8fcb5e621d93db63c797583bdcde5452c849a

SHA512
ee7dda8acf3cc675c4d39e9309d07c62f027723864f7b9ec8cbf0b700a03885a56e826b4abce27a277dafc7422b9fed8f23596584058cbba75f071f29a582a32

Download Submit
memory/832-321-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/832-320-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/832-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/832-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-368-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/852-299-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/948-366-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/948-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1332-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-229-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-331-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1508-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-332-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1632-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1632-192-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1632-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-289-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1668-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1668-288-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1708-355-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1708-156-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1756-25-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1756-26-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1756-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1792-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-234-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1912-202-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2064-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2156-40-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2248-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2248-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-360-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2468-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-96-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2564-351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2564-97-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2584-354-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-140-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2584-141-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2652-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-83-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2652-70-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-175-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2700-178-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2820-55-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2820-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-49-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2820-348-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-127-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2932-349-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2932-68-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2972-369-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2972-310-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2972-309-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2992-345-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2992-6-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2996-343-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2996-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2996-339-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/3064-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3064-107-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3064-118-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3064-99-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads