e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Size

3.2MB
MD5

02fa60c2391dc09e9a0b748a9d89c6a8
SHA1

fc1526f8934529b2fe696285c7316c154531f59c
SHA256

baf667a97bb14317f4410d6975849300190949707f7a4878aeb6fdb0a821e422
SHA512

ba058d15bea9be683a4f0baebca181e6271c4b056ff5aa84ed076e8689fef115c0c34f4b51cb5e3a33f8c0f92c277c77fe3e94bc625e1d4f24188c4089029fed
SSDEEP

98304:8LmuHlBFLPj3JStuv40ar7zrbDlsa2VIlPWYv1NTPKnllYUugy:kHlBFLPj3JStuv40ar7zrbDlsa2VIlPH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe

Executes dropped EXE 14 IoCs

pid	Process
1808	Gkgkbipp.exe
1180	Gaemjbcg.exe
2728	Hmlnoc32.exe
1944	Hcifgjgc.exe
2828	Hicodd32.exe
2536	Hpmgqnfl.exe
2184	Hggomh32.exe
2812	Hobcak32.exe
1424	Hjhhocjj.exe
1708	Hlfdkoin.exe
756	Hhmepp32.exe
3004	Hogmmjfo.exe
2228	Ioijbj32.exe
2448	Iagfoe32.exe

Loads dropped DLL 32 IoCs

pid	Process
3044	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
3044	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
1808	Gkgkbipp.exe
1808	Gkgkbipp.exe
1180	Gaemjbcg.exe
1180	Gaemjbcg.exe
2728	Hmlnoc32.exe
2728	Hmlnoc32.exe
1944	Hcifgjgc.exe
1944	Hcifgjgc.exe
2828	Hicodd32.exe
2828	Hicodd32.exe
2536	Hpmgqnfl.exe
2536	Hpmgqnfl.exe
2184	Hggomh32.exe
2184	Hggomh32.exe
2812	Hobcak32.exe
2812	Hobcak32.exe
1424	Hjhhocjj.exe
1424	Hjhhocjj.exe
1708	Hlfdkoin.exe
1708	Hlfdkoin.exe
756	Hhmepp32.exe
756	Hhmepp32.exe
3004	Hogmmjfo.exe
3004	Hogmmjfo.exe
2228	Ioijbj32.exe
2228	Ioijbj32.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe
2436	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Ioijbj32.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Gkgkbipp.exe	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hicodd32.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Dgnijonn.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hggomh32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Oiogaqdb.dll	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Hmlnoc32.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Hmlnoc32.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Ncolgf32.dll	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ioijbj32.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Gkgkbipp.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hmlnoc32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Ioijbj32.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gkgkbipp.exe	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkgkbipp.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Fpmkde32.dll	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
File opened for modification	C:\Windows\SysWOW64\Hcifgjgc.exe	Hmlnoc32.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ioijbj32.exe

Program crash 1 IoCs

pid	pid_target	Process
2436	2448	WerFault.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkmeglp.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpmkde32.dll"	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcifgjgc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhcelga.dll"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ioijbj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gkgkbipp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hmlnoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hmlnoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicodd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gkgkbipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnijonn.dll"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ioijbj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncolgf32.dll"	Gaemjbcg.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 1808	3044	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe	28
PID 3044 wrote to memory of 1808	3044	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe	28
PID 3044 wrote to memory of 1808	3044	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe	28
PID 3044 wrote to memory of 1808	3044	[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe	28
PID 1808 wrote to memory of 1180	1808	Gkgkbipp.exe	29
PID 1808 wrote to memory of 1180	1808	Gkgkbipp.exe	29
PID 1808 wrote to memory of 1180	1808	Gkgkbipp.exe	29
PID 1808 wrote to memory of 1180	1808	Gkgkbipp.exe	29
PID 1180 wrote to memory of 2728	1180	Gaemjbcg.exe	30
PID 1180 wrote to memory of 2728	1180	Gaemjbcg.exe	30
PID 1180 wrote to memory of 2728	1180	Gaemjbcg.exe	30
PID 1180 wrote to memory of 2728	1180	Gaemjbcg.exe	30
PID 2728 wrote to memory of 1944	2728	Hmlnoc32.exe	31
PID 2728 wrote to memory of 1944	2728	Hmlnoc32.exe	31
PID 2728 wrote to memory of 1944	2728	Hmlnoc32.exe	31
PID 2728 wrote to memory of 1944	2728	Hmlnoc32.exe	31
PID 1944 wrote to memory of 2828	1944	Hcifgjgc.exe	32
PID 1944 wrote to memory of 2828	1944	Hcifgjgc.exe	32
PID 1944 wrote to memory of 2828	1944	Hcifgjgc.exe	32
PID 1944 wrote to memory of 2828	1944	Hcifgjgc.exe	32
PID 2828 wrote to memory of 2536	2828	Hicodd32.exe	33
PID 2828 wrote to memory of 2536	2828	Hicodd32.exe	33
PID 2828 wrote to memory of 2536	2828	Hicodd32.exe	33
PID 2828 wrote to memory of 2536	2828	Hicodd32.exe	33
PID 2536 wrote to memory of 2184	2536	Hpmgqnfl.exe	34
PID 2536 wrote to memory of 2184	2536	Hpmgqnfl.exe	34
PID 2536 wrote to memory of 2184	2536	Hpmgqnfl.exe	34
PID 2536 wrote to memory of 2184	2536	Hpmgqnfl.exe	34
PID 2184 wrote to memory of 2812	2184	Hggomh32.exe	35
PID 2184 wrote to memory of 2812	2184	Hggomh32.exe	35
PID 2184 wrote to memory of 2812	2184	Hggomh32.exe	35
PID 2184 wrote to memory of 2812	2184	Hggomh32.exe	35
PID 2812 wrote to memory of 1424	2812	Hobcak32.exe	36
PID 2812 wrote to memory of 1424	2812	Hobcak32.exe	36
PID 2812 wrote to memory of 1424	2812	Hobcak32.exe	36
PID 2812 wrote to memory of 1424	2812	Hobcak32.exe	36
PID 1424 wrote to memory of 1708	1424	Hjhhocjj.exe	37
PID 1424 wrote to memory of 1708	1424	Hjhhocjj.exe	37
PID 1424 wrote to memory of 1708	1424	Hjhhocjj.exe	37
PID 1424 wrote to memory of 1708	1424	Hjhhocjj.exe	37
PID 1708 wrote to memory of 756	1708	Hlfdkoin.exe	38
PID 1708 wrote to memory of 756	1708	Hlfdkoin.exe	38
PID 1708 wrote to memory of 756	1708	Hlfdkoin.exe	38
PID 1708 wrote to memory of 756	1708	Hlfdkoin.exe	38
PID 756 wrote to memory of 3004	756	Hhmepp32.exe	39
PID 756 wrote to memory of 3004	756	Hhmepp32.exe	39
PID 756 wrote to memory of 3004	756	Hhmepp32.exe	39
PID 756 wrote to memory of 3004	756	Hhmepp32.exe	39
PID 3004 wrote to memory of 2228	3004	Hogmmjfo.exe	40
PID 3004 wrote to memory of 2228	3004	Hogmmjfo.exe	40
PID 3004 wrote to memory of 2228	3004	Hogmmjfo.exe	40
PID 3004 wrote to memory of 2228	3004	Hogmmjfo.exe	40
PID 2228 wrote to memory of 2448	2228	Ioijbj32.exe	41
PID 2228 wrote to memory of 2448	2228	Ioijbj32.exe	41
PID 2228 wrote to memory of 2448	2228	Ioijbj32.exe	41
PID 2228 wrote to memory of 2448	2228	Ioijbj32.exe	41
PID 2448 wrote to memory of 2436	2448	Iagfoe32.exe	42
PID 2448 wrote to memory of 2436	2448	Iagfoe32.exe	42
PID 2448 wrote to memory of 2436	2448	Iagfoe32.exe	42
PID 2448 wrote to memory of 2436	2448	Iagfoe32.exe	42

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]02fa60c2391dc09e9a0b748a9d89c6a8.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\Gkgkbipp.exe
  C:\Windows\system32\Gkgkbipp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\SysWOW64\Gaemjbcg.exe
    C:\Windows\system32\Gaemjbcg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\SysWOW64\Hmlnoc32.exe
      C:\Windows\system32\Hmlnoc32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\SysWOW64\Hcifgjgc.exe
        
        C:\Windows\system32\Hcifgjgc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\SysWOW64\Hobcak32.exe
        
        C:\Windows\system32\Hobcak32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Hhmepp32.exe
        
        C:\Windows\system32\Hhmepp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\SysWOW64\Hogmmjfo.exe
        
        C:\Windows\system32\Hogmmjfo.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\SysWOW64\Ioijbj32.exe
        
        C:\Windows\system32\Ioijbj32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gaemjbcg.exe

Filesize
3.2MB

MD5
1f2b65501689e56b2061e5185df8736e

SHA1
f25f10197288f8d40cf94d94589388b333c41d3b

SHA256
0b84b80936256ae101bd0c89ce35e4285ed7b723f729342fa9b294cfd33c8770

SHA512
085994807f3b24225bb4f5b95d0bf507500469e735dc4b416980a2f9a9484720ee5f5c91d0b1b5c12134e2e576ffb10fe1af777cc551acd329fd828bc9330ca2

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe

Filesize
3.2MB

MD5
900512ea8a9af27e72c72490fb58de9e

SHA1
95ae0749240e207b8618c32c6970cf8317926c96

SHA256
04e5a4bab88c0a1d30042f7637cd9e4a3536eb3316605a48243b3732ba2f70ac

SHA512
9810fb86e9dad352a74767592f35eabedf689f863f97f4870ae2f736c9847dd5604e4a751b196f5e999a7c3648ebb8009cdf4f37af74b090fd449f10dd435ece

Download Submit
C:\Windows\SysWOW64\Hggomh32.exe

Filesize
3.2MB

MD5
1a57b4de3363d98bed5949dfc9fc8db9

SHA1
d51fe6a1c3facb81ac4ff4913aaade9d96567ad6

SHA256
1b29e4d0131db9e2572060190a60ecd35002d251f072538c651dd25dd557c63c

SHA512
2381908ec821050c330275530e5cde137693ec4bdd857d380e4a55adcf3121f5a00ec5e99797203620bd92380e408ebef3805c4d2eaf7e0807ebf4b56c003c4c

Download Submit
C:\Windows\SysWOW64\Hhmepp32.exe

Filesize
3.2MB

MD5
a12089b0674331bc7411adc62e19864a

SHA1
8981a89f50d4c787d111dc7a57857a77b1d7cfe9

SHA256
b715c3f1c191f24c8e961dbe6f3e5b942196559ac286390d16580ab590fa72d7

SHA512
f3ad927d9af751dba3c4f5b18c70cce3f1d0191ffd3ac20db034357771ca1fc9af5f0707d179fe6f73c0a47ee923c434a0897e3c4e5692a46d06f64a3f7c55f2

Download Submit
C:\Windows\SysWOW64\Hicodd32.exe

Filesize
3.2MB

MD5
31e92855ada57be737e45a24e086575c

SHA1
1270a1c075aff3b2922eaa01ed7c8bc07a4824fe

SHA256
cfac6a67fb43947e50a332edd502d41a48c18450f0871d555c0e632857f3aa1c

SHA512
1ea7f28ea9c79e49eab91825cd35bb178c48dc122e6a847f7d1a4f3cda6fb0723f86fe77771cf3fa5870e33ba7409ddb2851c2454de935b00dd8ed0d46c2904a

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
3.2MB

MD5
0abaeabbf48f2cc6b6d8460c4ad7a307

SHA1
5c41e0fe6157f5137c665b67fa44f0a66ca7b8ef

SHA256
3e34ec1cdae0d87710e03ae0d52153b8666dd6ee4d54ed19939b5d7d2d0531f7

SHA512
2409da7c40444a07e710fe4d5e78ea091260cd9575281f5cc96fb7e8e097ee746ba8bd5fe1cab9bf81ff1aa08e9ff90e90009da28e84088ba19f6c8204c0644c

Download Submit
C:\Windows\SysWOW64\Hkkmeglp.dll

Filesize
7KB

MD5
136c5ad6681b5e02682d8930c88e9fc4

SHA1
1fa50d461c6b6c026a72ce2e06ce122793459e74

SHA256
5b5c029d4bbb78e44669145049727b1a71820384e2fec364e8dc4949dac435c1

SHA512
ae66e9120a4d2d81c7659610824e6e8a9bcb774e7ea42df8d14571e941db2813e9186f60e6fd3800d8a4751222dbb0c2b8ab1e260771fcb98b67c6218795be71

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
3.2MB

MD5
14eafe7c135304a66abbf9c77a76cf3b

SHA1
f7e421dafe5d3d68d9310b4a02dbf6eed0b655f7

SHA256
59d1b57880c6e48157f2643a441c49455847a268e7456c8488ae1b8ad225d70c

SHA512
405f1a670dbdc551839ec5ab68543fed17d6040be07227d79029f997edef9b6ac3b7fd52e663937934e4249144640f57e35d1d04ae4f7980bfec737605e1ad02

Download Submit
C:\Windows\SysWOW64\Hmlnoc32.exe

Filesize
3.2MB

MD5
5f78507415f5071ebbfb9d90dc1a352a

SHA1
51b71368becd8af78a2d518efc75a93753aa1622

SHA256
1957cd6976829a70c13ff6c1f497afc36a926f3aca516128edcf462ed2718cfd

SHA512
82e54581c29e1fb38ad26c60d19c8996d4ae92c57e6f88fcaac591a40a59ce00c1471b1a6a6d01a486d8089a58f8ff93f496caa741e6e553d4a0a9cac37e034d

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe

Filesize
3.2MB

MD5
0470fbd498561ee569fb3defdc5401cf

SHA1
2134dda5ad748aecaa087734c2e74420d30aece7

SHA256
0f6253f37d6a20c03ffef0dc9fac3abd5d106e3e09335626faa5dbd280516875

SHA512
cde2298ccd620598bb41fa892f6e9594c32263d00a2d52bd9ffc54f4d3171dd6d94a8cbcb7b792e1d11f3bac444e0e0e92954de2a0da34ef405607b0bfc17742

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe

Filesize
3.2MB

MD5
b605903908c67fcdde1289107002314b

SHA1
449052d00226879a80271cb201a1ddb50a5a9fcd

SHA256
a0c6fae3c2cbebb1d8e138c4bda729115ade7c9ca4b8ecf304bf426c29eb00fc

SHA512
371424b0459a8bdc97a71a7c741d55bba6bfd30ace396e72aa13aecee95e0a7ade6265193cb1a38b0998898ba0a1588035bb9a43eded967d4d582e568a8c38da

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
3.2MB

MD5
76f54bee4156e4b32b2ed7d550587e49

SHA1
0b58a10c5a9d9479b0f25feffcfa4bc59d843480

SHA256
9764d092059aa33ace81e26242d3b15d75e1b3759372dadb984cee80fe63a5cb

SHA512
e33c55b8f80cd3935f0fe40933ea2e66ca3792f85c42bd6a633b932641e4717a4df077873dfc56b6715bdc61ee3b93bd46a4577a143e66c41798e73b29e3fe0e

Download Submit
C:\Windows\SysWOW64\Ioijbj32.exe

Filesize
3.2MB

MD5
0f882c06ef694ff306d216bbd77f979b

SHA1
db4bba2d371068ca9050f1689ef40804456f87c3

SHA256
decea8d098ae1ef7e7597d90e25bd782ccd26241d8fa9387e62b14cd22f06698

SHA512
fe3cafbc285af7b4ded8cd98d631e94bb48acf9d3e7b5a208b91a59d6acbe5d78e95a46b7f671ee8408e0c750163b1c7392fc045bb75c0340240e89dc52cb8a5

Download Submit
\Windows\SysWOW64\Gkgkbipp.exe

Filesize
3.2MB

MD5
880b91a24035b68720b7c9f2fd4b3a2f

SHA1
cbb6bfad5d91a84e93904c729180ecea50e9e704

SHA256
d82dc735d3cbcf03bd3f45b80a5264c709d77ce3299bc7459a803860ed8d327a

SHA512
81a1d42c875fa57b27fd3c238c928c7e4c66b3e988c02f28f73276a3342d9bb4e00fe0c98e79c48005d94c6b44e30f2b94bb1bde57091c8c58ad8778c95f76a2

Download Submit
\Windows\SysWOW64\Iagfoe32.exe

Filesize
3.2MB

MD5
4dc605176489c0ff76ef0e7ad32873c1

SHA1
2a6f8841d78079c7dd8d0f3b9ab171a9ddcf8fe6

SHA256
ae314277bf32cc4ce0a97d6e2a8f39d3fd90f181ea5354aaa0b6df3b99bbe425

SHA512
857609bba2c1c57636fdd4096c0cc8c9213f34163e972d0d9b9976ec5fb81336bc66767d26761a4c12035d4db010ee7329d021c91673c1a0b9d9f3ef70cc4811

Download Submit
memory/756-163-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/756-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1180-43-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1180-211-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1180-29-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1424-149-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1424-150-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1424-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-162-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1708-161-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1708-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1708-151-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-210-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-27-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1808-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1808-28-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/1944-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1944-76-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/1944-77-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2184-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2184-122-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2184-121-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2228-202-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2228-203-0x0000000000440000-0x0000000000476000-memory.dmp

Filesize
216KB

Download
memory/2228-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-218-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2448-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-92-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-106-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2536-213-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2536-105-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/2728-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-57-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2728-44-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2728-62-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2812-123-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-136-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2828-78-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2828-81-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/2828-91-0x0000000000250000-0x0000000000286000-memory.dmp

Filesize
216KB

Download
memory/3004-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-189-0x0000000000270000-0x00000000002A6000-memory.dmp

Filesize
216KB

Download
memory/3004-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-209-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-12-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/3044-6-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads