74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Size

790KB
MD5

4b0b4648c3a65e3d39c30bbb3dbb91b8
SHA1

62ee0888c543397da72fcda9c9b37ddd7c46bb40
SHA256

74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8
SHA512

ce412489d580d9c56a8652a4b4bdf3340972e27a173c5732409942233b5c2a6d657ac805083f7c91094afa5d742826649b8309cf71f684608a039f39e247c2ac
SSDEEP

12288:bCbJqdwNFB24lwR45FB24lJ87g7/VycgE81lgxaa79y:KHdPLPEoIlg17o

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbhnaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecpgmhai.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cciemedf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doobajme.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fehjeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enihne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodonf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hejoiedd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Henidd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbhnaho.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hellne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Gpknlk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Hlhaqogk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndbcc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe

Executes dropped EXE 27 IoCs

pid	Process
2220	Cfbhnaho.exe
2572	Cciemedf.exe
2616	Cndbcc32.exe
2652	Dodonf32.exe
1732	Dcfdgiid.exe
2188	Dnneja32.exe
2192	Doobajme.exe
1500	Ecpgmhai.exe
1756	Enihne32.exe
2376	Fehjeo32.exe
2432	Fpdhklkl.exe
2040	Fbdqmghm.exe
2412	Gpknlk32.exe
2232	Ghfbqn32.exe
592	Gacpdbej.exe
2648	Ghmiam32.exe
3044	Hknach32.exe
2840	Hdhbam32.exe
1244	Hejoiedd.exe
1560	Hnagjbdf.exe
764	Hellne32.exe
2296	Hhjhkq32.exe
1960	Henidd32.exe
2860	Hlhaqogk.exe
1444	Ihoafpmp.exe
2084	Ioijbj32.exe
1660	Iagfoe32.exe

Loads dropped DLL 58 IoCs

pid	Process
108	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
108	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
2220	Cfbhnaho.exe
2220	Cfbhnaho.exe
2572	Cciemedf.exe
2572	Cciemedf.exe
2616	Cndbcc32.exe
2616	Cndbcc32.exe
2652	Dodonf32.exe
2652	Dodonf32.exe
1732	Dcfdgiid.exe
1732	Dcfdgiid.exe
2188	Dnneja32.exe
2188	Dnneja32.exe
2192	Doobajme.exe
2192	Doobajme.exe
1500	Ecpgmhai.exe
1500	Ecpgmhai.exe
1756	Enihne32.exe
1756	Enihne32.exe
2376	Fehjeo32.exe
2376	Fehjeo32.exe
2432	Fpdhklkl.exe
2432	Fpdhklkl.exe
2040	Fbdqmghm.exe
2040	Fbdqmghm.exe
2412	Gpknlk32.exe
2412	Gpknlk32.exe
2232	Ghfbqn32.exe
2232	Ghfbqn32.exe
592	Gacpdbej.exe
592	Gacpdbej.exe
2648	Ghmiam32.exe
2648	Ghmiam32.exe
3044	Hknach32.exe
3044	Hknach32.exe
2840	Hdhbam32.exe
2840	Hdhbam32.exe
1244	Hejoiedd.exe
1244	Hejoiedd.exe
1560	Hnagjbdf.exe
1560	Hnagjbdf.exe
764	Hellne32.exe
764	Hellne32.exe
2296	Hhjhkq32.exe
2296	Hhjhkq32.exe
1960	Henidd32.exe
1960	Henidd32.exe
2860	Hlhaqogk.exe
2860	Hlhaqogk.exe
1444	Ihoafpmp.exe
1444	Ihoafpmp.exe
2084	Ioijbj32.exe
2084	Ioijbj32.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe
2916	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hdhbam32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Hellne32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Nejeco32.dll	Cfbhnaho.exe
File created	C:\Windows\SysWOW64\Cndbcc32.exe	Cciemedf.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Ihoafpmp.exe
File opened for modification	C:\Windows\SysWOW64\Cfbhnaho.exe	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
File created	C:\Windows\SysWOW64\Dnneja32.exe	Dcfdgiid.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hellne32.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Hlhaqogk.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Dodonf32.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Fpdhklkl.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Fkahhbbj.dll	Dodonf32.exe
File created	C:\Windows\SysWOW64\Ecpgmhai.exe	Doobajme.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hejoiedd.exe
File created	C:\Windows\SysWOW64\Pljpdpao.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Cciemedf.exe	Cfbhnaho.exe
File opened for modification	C:\Windows\SysWOW64\Dcfdgiid.exe	Dodonf32.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hejoiedd.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Hepmggig.dll	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Jpajnpao.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File opened for modification	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Hlhaqogk.exe
File created	C:\Windows\SysWOW64\Imhjppim.dll	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Memeaofm.dll	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Bccnbmal.dll	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Fehjeo32.exe	Enihne32.exe
File created	C:\Windows\SysWOW64\Hojopmqk.dll	Hellne32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Cillgpen.dll	Dnneja32.exe
File created	C:\Windows\SysWOW64\Enihne32.exe	Ecpgmhai.exe
File opened for modification	C:\Windows\SysWOW64\Fehjeo32.exe	Enihne32.exe
File opened for modification	C:\Windows\SysWOW64\Fpdhklkl.exe	Fehjeo32.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Dnneja32.exe	Dcfdgiid.exe
File opened for modification	C:\Windows\SysWOW64\Doobajme.exe	Dnneja32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Ndabhn32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Hejoiedd.exe	Hdhbam32.exe
File created	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hpenlb32.dll	Cciemedf.exe
File opened for modification	C:\Windows\SysWOW64\Enihne32.exe	Ecpgmhai.exe
File created	C:\Windows\SysWOW64\Doobajme.exe	Dnneja32.exe
File created	C:\Windows\SysWOW64\Dlgohm32.dll	Enihne32.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Ghfbqn32.exe
File opened for modification	C:\Windows\SysWOW64\Hdhbam32.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Cfbhnaho.exe	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
File created	C:\Windows\SysWOW64\Cciemedf.exe	Cfbhnaho.exe
File opened for modification	C:\Windows\SysWOW64\Ecpgmhai.exe	Doobajme.exe
File opened for modification	C:\Windows\SysWOW64\Hlhaqogk.exe	Henidd32.exe
File opened for modification	C:\Windows\SysWOW64\Dodonf32.exe	Cndbcc32.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Fpdhklkl.exe
File created	C:\Windows\SysWOW64\Hhjhkq32.exe	Hellne32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2916	1660	WerFault.exe	54

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgohm32.dll"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fpdhklkl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpenlb32.dll"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Ghmiam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfbhnaho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fpdhklkl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hojopmqk.dll"	Hellne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hhjhkq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Henidd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodonf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cillgpen.dll"	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcfdgiid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccnbmal.dll"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hdhbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekpaqgc.dll"	Doobajme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhjppim.dll"	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepmggig.dll"	Hdhbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hhjhkq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejeco32.dll"	Cfbhnaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dnneja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enihne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cciemedf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecpgmhai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memeaofm.dll"	Cndbcc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebagmn32.dll"	Dcfdgiid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecimppi.dll"	Ecpgmhai.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Hellne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enihne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfbhnaho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fehjeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hejoiedd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pljpdpao.dll"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Hlhaqogk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkahhbbj.dll"	Dodonf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2220	108	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	28
PID 108 wrote to memory of 2220	108	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	28
PID 108 wrote to memory of 2220	108	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	28
PID 108 wrote to memory of 2220	108	74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe	28
PID 2220 wrote to memory of 2572	2220	Cfbhnaho.exe	29
PID 2220 wrote to memory of 2572	2220	Cfbhnaho.exe	29
PID 2220 wrote to memory of 2572	2220	Cfbhnaho.exe	29
PID 2220 wrote to memory of 2572	2220	Cfbhnaho.exe	29
PID 2572 wrote to memory of 2616	2572	Cciemedf.exe	30
PID 2572 wrote to memory of 2616	2572	Cciemedf.exe	30
PID 2572 wrote to memory of 2616	2572	Cciemedf.exe	30
PID 2572 wrote to memory of 2616	2572	Cciemedf.exe	30
PID 2616 wrote to memory of 2652	2616	Cndbcc32.exe	31
PID 2616 wrote to memory of 2652	2616	Cndbcc32.exe	31
PID 2616 wrote to memory of 2652	2616	Cndbcc32.exe	31
PID 2616 wrote to memory of 2652	2616	Cndbcc32.exe	31
PID 2652 wrote to memory of 1732	2652	Dodonf32.exe	32
PID 2652 wrote to memory of 1732	2652	Dodonf32.exe	32
PID 2652 wrote to memory of 1732	2652	Dodonf32.exe	32
PID 2652 wrote to memory of 1732	2652	Dodonf32.exe	32
PID 1732 wrote to memory of 2188	1732	Dcfdgiid.exe	33
PID 1732 wrote to memory of 2188	1732	Dcfdgiid.exe	33
PID 1732 wrote to memory of 2188	1732	Dcfdgiid.exe	33
PID 1732 wrote to memory of 2188	1732	Dcfdgiid.exe	33
PID 2188 wrote to memory of 2192	2188	Dnneja32.exe	34
PID 2188 wrote to memory of 2192	2188	Dnneja32.exe	34
PID 2188 wrote to memory of 2192	2188	Dnneja32.exe	34
PID 2188 wrote to memory of 2192	2188	Dnneja32.exe	34
PID 2192 wrote to memory of 1500	2192	Doobajme.exe	35
PID 2192 wrote to memory of 1500	2192	Doobajme.exe	35
PID 2192 wrote to memory of 1500	2192	Doobajme.exe	35
PID 2192 wrote to memory of 1500	2192	Doobajme.exe	35
PID 1500 wrote to memory of 1756	1500	Ecpgmhai.exe	36
PID 1500 wrote to memory of 1756	1500	Ecpgmhai.exe	36
PID 1500 wrote to memory of 1756	1500	Ecpgmhai.exe	36
PID 1500 wrote to memory of 1756	1500	Ecpgmhai.exe	36
PID 1756 wrote to memory of 2376	1756	Enihne32.exe	37
PID 1756 wrote to memory of 2376	1756	Enihne32.exe	37
PID 1756 wrote to memory of 2376	1756	Enihne32.exe	37
PID 1756 wrote to memory of 2376	1756	Enihne32.exe	37
PID 2376 wrote to memory of 2432	2376	Fehjeo32.exe	38
PID 2376 wrote to memory of 2432	2376	Fehjeo32.exe	38
PID 2376 wrote to memory of 2432	2376	Fehjeo32.exe	38
PID 2376 wrote to memory of 2432	2376	Fehjeo32.exe	38
PID 2432 wrote to memory of 2040	2432	Fpdhklkl.exe	39
PID 2432 wrote to memory of 2040	2432	Fpdhklkl.exe	39
PID 2432 wrote to memory of 2040	2432	Fpdhklkl.exe	39
PID 2432 wrote to memory of 2040	2432	Fpdhklkl.exe	39
PID 2040 wrote to memory of 2412	2040	Fbdqmghm.exe	40
PID 2040 wrote to memory of 2412	2040	Fbdqmghm.exe	40
PID 2040 wrote to memory of 2412	2040	Fbdqmghm.exe	40
PID 2040 wrote to memory of 2412	2040	Fbdqmghm.exe	40
PID 2412 wrote to memory of 2232	2412	Gpknlk32.exe	41
PID 2412 wrote to memory of 2232	2412	Gpknlk32.exe	41
PID 2412 wrote to memory of 2232	2412	Gpknlk32.exe	41
PID 2412 wrote to memory of 2232	2412	Gpknlk32.exe	41
PID 2232 wrote to memory of 592	2232	Ghfbqn32.exe	42
PID 2232 wrote to memory of 592	2232	Ghfbqn32.exe	42
PID 2232 wrote to memory of 592	2232	Ghfbqn32.exe	42
PID 2232 wrote to memory of 592	2232	Ghfbqn32.exe	42
PID 592 wrote to memory of 2648	592	Gacpdbej.exe	43
PID 592 wrote to memory of 2648	592	Gacpdbej.exe	43
PID 592 wrote to memory of 2648	592	Gacpdbej.exe	43
PID 592 wrote to memory of 2648	592	Gacpdbej.exe	43

C:\Users\Admin\AppData\Local\Temp\74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe
"C:\Users\Admin\AppData\Local\Temp\74697e0f936f9c9f108ca2c54010e4fce5e14be38695fd272942233f6f74f7a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\SysWOW64\Cfbhnaho.exe
  C:\Windows\system32\Cfbhnaho.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\Cciemedf.exe
    C:\Windows\system32\Cciemedf.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\SysWOW64\Cndbcc32.exe
      C:\Windows\system32\Cndbcc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\Dodonf32.exe
        
        C:\Windows\system32\Dodonf32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
      - C:\Windows\SysWOW64\Dcfdgiid.exe
        
        C:\Windows\system32\Dcfdgiid.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Dnneja32.exe
        
        C:\Windows\system32\Dnneja32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\SysWOW64\Doobajme.exe
        
        C:\Windows\system32\Doobajme.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Ecpgmhai.exe
        
        C:\Windows\system32\Ecpgmhai.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\Enihne32.exe
        
        C:\Windows\system32\Enihne32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Fehjeo32.exe
        
        C:\Windows\system32\Fehjeo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Fpdhklkl.exe
        
        C:\Windows\system32\Fpdhklkl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Fbdqmghm.exe
        
        C:\Windows\system32\Fbdqmghm.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\SysWOW64\Ghfbqn32.exe
        
        C:\Windows\system32\Ghfbqn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\Gacpdbej.exe
        
        C:\Windows\system32\Gacpdbej.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Hknach32.exe
        
        C:\Windows\system32\Hknach32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:3044
        
        C:\Windows\SysWOW64\Hdhbam32.exe
        
        C:\Windows\system32\Hdhbam32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Hejoiedd.exe
        
        C:\Windows\system32\Hejoiedd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Hellne32.exe
        
        C:\Windows\system32\Hellne32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Hhjhkq32.exe
        
        C:\Windows\system32\Hhjhkq32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Henidd32.exe
        
        C:\Windows\system32\Henidd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Hlhaqogk.exe
        
        C:\Windows\system32\Hlhaqogk.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        28⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1660 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cciemedf.exe

Filesize
790KB

MD5
a17522ce637431d1fa6f7ba89dec0811

SHA1
fd29ce5ae9a847180ff9a3f8f8cf18f740f3c935

SHA256
225c6a6ed1548b6d8ee31ead2bdda5e60c764de3b4ec6b7aa0bcaefe63b7974d

SHA512
c82a9b4077a5f00a984044bf3c396e031cff97c050a8f3f016d62d82bffdf96ddfa0c9848b191fc61852e3a94fa7e49201c614ebd6c1e5dd3c8cd652cabfccce

Download Submit
C:\Windows\SysWOW64\Dnneja32.exe

Filesize
790KB

MD5
9511cc1c860f01365b9985ef35689bb0

SHA1
23928e1e91cea722b0919de92e363c6542644ca8

SHA256
46f877075ee271e54221aa30b2e18b0d771caff533303eb8825b140f58e975e9

SHA512
d019ccdc28527f82dce922ebf57978bdcce8f68a0deb84eb49a635c189ab5f2570a64594f1d8196e357c01b9e44ee1946c236cc2827607d67f76db12bb58768d

Download Submit
C:\Windows\SysWOW64\Ecpgmhai.exe

Filesize
790KB

MD5
fcddb090bbc3be4c32be0a563c6785da

SHA1
6161effdbc819395f88e44cedff57733eaa86737

SHA256
7bf04a42276d7eb7ab23eef22fd7f65585db39204abd350a8f9ce251373e9600

SHA512
49cd0d85134e768ba71610e0753626fc3a6bcddcebc3ab0519119736877ca5bf0501eebb6e4c913cc86ed0d8b9bbfbe8d3a1bab6c1977c74b939ae56c6d1e246

Download Submit
C:\Windows\SysWOW64\Fkahhbbj.dll

Filesize
7KB

MD5
426232cbf0ec9976ac438414f800cddc

SHA1
48dae88fd51a2819387d7dcd73495c43b5e91f19

SHA256
e159a3f560bf93417513063b895de481aab6e50d670226fc8647be1e3355f949

SHA512
6d92d46b4ed54a62956d4f1fc5003434c2535fe9190d07223e589118d2226ebf35027e6871a7fe320ac09c35297abbbf3204957e86dae2aa26b48f55af8d04ce

Download Submit
C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
790KB

MD5
359e64c894364539f7163f823028842c

SHA1
bdeaa46be92167d317e200c882453e5938cebc72

SHA256
2445b0e07ad6ff043979f89b811d5be1795a212e7a8a87ff000f5b7abaef7f19

SHA512
b98d3c4f77abeba655602b85c7ec18dd7ac7f44c648ff2e88bf9a33fe975a9b5e15525377c8e3208700676985e95c7f59b7c559c1e9f34b06df45878e52f1414

Download Submit
C:\Windows\SysWOW64\Hdhbam32.exe

Filesize
790KB

MD5
1196c0799ff4aeed06a8b06eda2e6020

SHA1
c4b27116629d8555dc2dffb320c53f72f464f6d2

SHA256
2afd629cfa0ebd39b910bf8443a96ea468a3631ace77d39cf55e8ab19cf5d0d4

SHA512
54deb028d1c54558fc49e11c89db683130af8c6f48820456134e35c3cfd950d525b3388f1ca56c94a8fb65401a9b5e092122e45190bbd9765ad2d671148cabfb

Download Submit
C:\Windows\SysWOW64\Hejoiedd.exe

Filesize
790KB

MD5
81f6188af7b0f3b80c8ddf61fd826c6c

SHA1
b232cd3999596c272903ecaad95595c4242e4763

SHA256
aea83918b80e03f119e046d6fc6e5914d5173fd5a0c1f2cd35a663d2e5d65ad1

SHA512
a7069fca1e088725ac122c8a147bdfb1a3acf602167351795f4cf885caa99109d4a7901c764961df4bfa9d3f983608cecd95a724ca383a04b9fea3602b5df971

Download Submit
C:\Windows\SysWOW64\Hellne32.exe

Filesize
790KB

MD5
c0895212d49a6331e508227a5d7ecd31

SHA1
c9143691a48c45d99f0808d61fbb887cee409c56

SHA256
c1650c12016c9965029648cf31d6ee167afbadd85f3bff2948d7270f4e99b09f

SHA512
2aed38138e7c9f2e30fd07fd9b5f5c7c234fee6f5ddfa9a39b3a9b44d183e5b6ba7cad586074a7bceb8a4ad51578e0da4be692d29c6c0f11716175494025d89e

Download Submit
C:\Windows\SysWOW64\Henidd32.exe

Filesize
790KB

MD5
0b25405771bf28b62a0975593e73c720

SHA1
2c75d283cfc9c3238560a8510065ee3ddf08cbee

SHA256
aee580b7823cb4466dffdc1288e791e7483da86a1c01345f400fdb9fcf54837a

SHA512
f89f651f5e650fc311f3f4563d3562fc21f98e4885060d1b3b32913f806a6838abbbea238cb6505ad32421e229f36b5047b854d476d970424d9da55815041897

Download Submit
C:\Windows\SysWOW64\Hhjhkq32.exe

Filesize
790KB

MD5
fe51568a3446c0b99e57bdbd4bfdb620

SHA1
fc5d6200d2a171a446dfa9234fef5173dc92ee55

SHA256
60e0d9c7dfa572f21130f2c185aba4a9c08fd211cf0df9db7348eccf502a49c1

SHA512
735200d92d72e07f72358900dfecef3af72358bcf27e352ddd7a2b088e8dd721fbe8fdcdfbe0683e70b1d93dfeb7f75ff3545db39961f892126b0106accfe354

Download Submit
C:\Windows\SysWOW64\Hknach32.exe

Filesize
790KB

MD5
b7c011614ce5c41b67a83190415fa4f3

SHA1
03e45a7ab7f3d3bf232ba917d7a1db79c7d0aad6

SHA256
52bb5d2415da177d705a919a764a0ae57dc4afc0dc6623d44d7e684f9e905bb5

SHA512
65f2e3ce35ecb3eb8312312a46c9e1adeb2b68f740ac161d5c2785d545831700ba0f4f3f2c4143cb96258da0616f9a7577ef9ffe6a143c5aa6ce0748473c2fb2

Download Submit
C:\Windows\SysWOW64\Hlhaqogk.exe

Filesize
790KB

MD5
0403bb78f5db80aed5d28f8a8176741a

SHA1
420ae17a0e6b009d53b66cb63aed23437387cced

SHA256
7a05fe9f68b5f08a221ed4d019916742997eddb7e1b94b877280e2ebae6d93a1

SHA512
b78af910298667851baa7c2b8a91064a36e217e53369b187a0c8b580cedac62b16dcd195a4bf430178784431f79ece3ede1cb6d63c4098403cff4ce53321691f

Download Submit
C:\Windows\SysWOW64\Hnagjbdf.exe

Filesize
790KB

MD5
704b7cb2812286e18edd95a0fe9a8fd3

SHA1
7f7fc4bae8d599463253c6f94a6a02f935a84b5c

SHA256
6d015277d768ab5492beb152770c057e6bcbe9601675ab9972e0ea67a5fafb5f

SHA512
d8081a8b05e2693042dcc1219118fd49537306016eb2f85ac79a0bd2e7e4791dcdd8602ef4c1e9c3aea189ffd2d3c0b72c4a8696d6e5858100287d9d22d347f0

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
790KB

MD5
71a5583dcb85015c6d27ee88680b2845

SHA1
5c085e6495efbccbb2228d68bc79606ea34a563a

SHA256
d501d117686328508d084c0e98546aa932b03b74b0038c3bb1006c5ba27e667c

SHA512
df3c0aa60de4a300120092120bb1ee6d9512781e1eb953a53f3278b6b323edd88879d6f3c6831ab21d0fba38c743bf848b551a2e187f85f6c1b38992e93e69a2

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
790KB

MD5
5b5ae0005a082a419fa8ce35b247284a

SHA1
1142e0bce03c6afb4c5e4ee9707bfbb74ed28468

SHA256
233ed982792ab2040ae636b69647a22dfd533b4afaed4f35fac94e9b3f37a76d

SHA512
5fc1f5c380e61f8f8eec7d1a3ba8304d68af11dd4f781e39bd712005e77b1f998ad073823d837b75c76968ea190a29c54b2141ec85bb615871270c97a4237e7e

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
790KB

MD5
a1dae1525d9b9225ee6fdce5399b2f74

SHA1
694b6dd27ad1d3af3548b61bc2cba8d6c07e097e

SHA256
bb2c8e4047639b60040c80b7810eb309b2187ac258a177451dfde5b2e5ba1a87

SHA512
1e7577786d6fdbd6476514a9eb86196cde506aaab0e201916d089a98df75deb035d1627d76ed8267e2ac89b037dc1e225829dacb9ada20cacc69610ff1aa139b

Download Submit
\Windows\SysWOW64\Cfbhnaho.exe

Filesize
790KB

MD5
4e9d945f1b567b2c2c83cbc19cb50197

SHA1
8e76b272c242553476b468745e157483daec84cf

SHA256
36866c69819b3541e63c402e050172ca2b5f78efa50ab1028f1de52b916c2f00

SHA512
4aaa16a31660ecc377287926550662dee2585d514712fa6a60b043fe93adb9b11980dd852417222304708f4fd64c5b8d51f6c3ca977268c228da0618b667d2fe

Download Submit
\Windows\SysWOW64\Cndbcc32.exe

Filesize
790KB

MD5
4af5d8e68091e6be3d9e3b73c2ad036a

SHA1
988f491db28880c7feda5912d01fc19fcc6e2439

SHA256
fd92d78cb8858795e8853f0830262a910cad8073e809e2eaeb761272dd3d364b

SHA512
8674cbf4e4699e1d03f6b4ab0de150b2fa2b84b49f93a0b1048a8866dd17ec391998d0fe05b77e44d31beee50e5507a2da5053116a7a8f08f2a8cb9319682f97

Download Submit
\Windows\SysWOW64\Dcfdgiid.exe

Filesize
790KB

MD5
18f62119916420451c9ce9001bb5d57e

SHA1
b37cced5fb894f42b9934fa3b2681db9406649c9

SHA256
52f169deac33809e4b008f4994b2ef52673c0efab753071bc935d81a2fdf3022

SHA512
5569265ebfb9d7a03e697e576fd28769e63b4fca4c63d4b16cddf51c2a562f9e7f4493f1a88f9466a94c02b4f57d333dfe12dbd394ef1e8bc220b8bab2cf6492

Download Submit
\Windows\SysWOW64\Dodonf32.exe

Filesize
790KB

MD5
09b5a6c1c96cc1160f843cc6feea1268

SHA1
0bc7068195cf7eb765727f8d07c7ca570fee90fe

SHA256
663916fc8a8123b50bc894d76f755ee1f7d20cf21a4a122130c41f9dc88b0dae

SHA512
3d7f78f571b98ac98d0d3f1d13280fde9f0c5692b94f18a4daf5c153519e942b8521ffc833511f8db4e1fd9ebdeac5a299537fc155fc88a71f2f815cdfb44753

Download Submit
\Windows\SysWOW64\Doobajme.exe

Filesize
790KB

MD5
cceb3517e65358437e50b88fb5548cbd

SHA1
e373492aa1b86b639dec3e3acf8bd229c841356a

SHA256
9bf6d5acbd443928b763abe9d48b931a6c015471b0565d219d61ebc9de87048a

SHA512
78c6773ba74dc91037db287e009a86db1929177459a43cabbc45ee18e12ac1385f178cfb4362de7ecba04af6d20d7a105ea34378bab9715e60da5206ed4673ab

Download Submit
\Windows\SysWOW64\Enihne32.exe

Filesize
790KB

MD5
d9cf74c3dc2d8a98d4efd4a9928bcaba

SHA1
4e144e5fb35b15fa15f85b22bad29c96fd1e9d00

SHA256
a8472ba5da5ed9777f5eb99287f604e3a250a2b29ecd614488f3a82dd9a8588c

SHA512
c47a99c667a2531c8ac84500ff95f430d50454a767a3d9fa3acc77574b81d56af001fde2a7c933940ef78ea880379b1a890fbab9ab317d7d91dabd0dc756fc6f

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe

Filesize
790KB

MD5
4ee141b6b2eb69f5626592b802d9a0c5

SHA1
60618eb2df5c3bcf451253a4738f9d37852a8862

SHA256
b8f40c1b4fa83aa34f26a702df7bfe6a98456774336645e7685e652a41af4de8

SHA512
862470081da5289e31d342cdb7ed17af78194e3668e3006195e186aab34005e1498091f97baaaed78c7c296eb414c9e0dd58735e010bf47dbc9c72c1ce656c22

Download Submit
\Windows\SysWOW64\Fehjeo32.exe

Filesize
790KB

MD5
ba8f24d95837afef0a7ccd7d5b3350c4

SHA1
055ac5247d84588466c14b45e7a9c27d00fd7f40

SHA256
f342f43acceaee936271bec9739efaca507f71b350c2ee14de120cf8071ae828

SHA512
2eaf6c7f8af98edb8ae2724b1fb8ddc610cf83579274be5be89914f4c30cb5be4ff4f10e4dec59d61510c7d4daf7b3380a8dd50f19228827f447000e3aa0abb6

Download Submit
\Windows\SysWOW64\Fpdhklkl.exe

Filesize
790KB

MD5
f299bc6d0e97e52d01c6e0b1b662bd86

SHA1
981dcd68b381607254ae9f400bfb69f9c43fd345

SHA256
6306dfce124b07879ed27c3c51ebf4244f9e35bbd9f10260cb16f342dbdb57a6

SHA512
ac97ac8ade7349e2302df74f7543af9d68248b94a776db2c3a6f75f70b609c3d4fdf06c0498aaa3c36159f26853d08831921916a3e567fc03f8b66fbed043c78

Download Submit
\Windows\SysWOW64\Gacpdbej.exe

Filesize
790KB

MD5
2c91bad18061a23f337cca8add681306

SHA1
bcea8d02ac020a2c2080635cdb44bcc73fafb10f

SHA256
2e98186ac77b5dbc9b68669e94000f66139c0dc39e7996abc3781e06bca28a2b

SHA512
6af528725a8993a14e94f54ff018d125d30b5751c83de94b5a157b49d9235100f5af07045f8b734aabdf510499d9512cd7e68bf394cae0eff94a1b99bbd54450

Download Submit
\Windows\SysWOW64\Ghmiam32.exe

Filesize
790KB

MD5
4fc7af87f6fbd9398de22cf73361e89d

SHA1
8f8aa5a7edbe893e81c990faa4e7f2add86b0447

SHA256
34a8a9af9ee4f76414e33888472eba3b1addd9fd6b0b53d39004d3ff86be20f6

SHA512
35b21bc7099bc2a135b0ead75d5ccc7356ceb5633d1365052b1e305dc5ddb2fc78c3b3bdf01320ab64e5d6a5bd678fccd9c1af3b42f5704f8c6ea15b3f10da11

Download Submit
\Windows\SysWOW64\Gpknlk32.exe

Filesize
790KB

MD5
d1aced5707bda5a6c7cd6f8fed5b10b1

SHA1
41108bbff1f176e09e37fb414c5ce8621fb4930e

SHA256
352cd50c3849ed49dd0abe8eb52a67338f5293b6361598da1e40b749e144dc9f

SHA512
1cd8daa0777349d7884485310a9e01540aefe0d77c0827f683868d76554d84539ba0a9b21af90c8a5431aae9b98d934ad382d265df5403436d7e079767643509

Download Submit
memory/108-6-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/108-13-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/108-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/108-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/592-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/764-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1244-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1444-323-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1444-324-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1500-123-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1500-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1560-269-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1560-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1660-362-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1732-84-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1756-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-138-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1960-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-302-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/1960-301-0x00000000004A0000-0x00000000004D3000-memory.dmp

Filesize
204KB

Download
memory/2040-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-174-0x0000000001F90000-0x0000000001FC3000-memory.dmp

Filesize
204KB

Download
memory/2084-333-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2084-334-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2084-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-27-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2220-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2220-28-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2220-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2232-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-291-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2296-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-139-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2376-147-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2376-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2412-195-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2412-194-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/2432-165-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2432-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-164-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-36-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2572-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2572-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-51-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2648-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-233-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2648-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2648-232-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2652-69-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2652-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-70-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2652-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-250-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-318-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-309-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2860-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3044-243-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/3044-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads