e2cadb0766cf2fc20a527c917f4475388ef3fbd73b8e0c6d071b695afbb1dba3

Resubmissions

04-07-2024 17:22

240704-vxyavazeql 10

04-07-2024 17:19

240704-vv7rhazenr 10

Analysis

max time kernel
293s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-07-2024 17:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Size

1.9MB
MD5

086b605fada00eaa39fca0581712f10f
SHA1

d328e557965072baf7586a9d8aaad36f84666398
SHA256

4a52d88f2072ec553b00dd8def3089c4df2c320b502907b7c4e6fffed30e9786
SHA512

1217e2fcce016667af561e9b753d96df41e007de1c22994887d81827dc801a4521f3fbb1d6198deb5ed4b39b7e9a104e239dcf36e4e76e9c2728447e79deb948
SSDEEP

24576:vsxNIVyeNIVy2jU3NIVyeNIVy2jUQNIVyeNIVy2jU3NIVyeNIVy2jUO:vs0yjByjUyjByjH

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djefobmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnbkddem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eihfjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgdmmgpj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djefobmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Idceea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekholjqg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feeiob32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eihfjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gpknlk32.exe

Executes dropped EXE 26 IoCs

pid	Process
2492	Dgdmmgpj.exe
2672	Dqlafm32.exe
2404	Dcknbh32.exe
2536	Djefobmk.exe
2428	Eihfjo32.exe
2920	Ebpkce32.exe
2884	Ekholjqg.exe
272	Ejbfhfaj.exe
2384	Fmcoja32.exe
1196	Fcmgfkeg.exe
1184	Fnbkddem.exe
2060	Feeiob32.exe
1844	Fiaeoang.exe
1944	Gpknlk32.exe
588	Ghmiam32.exe
2960	Gogangdc.exe
2068	Hpkjko32.exe
1172	Hkpnhgge.exe
1480	Hlcgeo32.exe
1888	Hpocfncj.exe
240	Hcnpbi32.exe
956	Hjhhocjj.exe
2184	Hlfdkoin.exe
1004	Ieqeidnl.exe
884	Idceea32.exe
964	Iagfoe32.exe

Loads dropped DLL 56 IoCs

pid	Process
2316	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
2316	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
2492	Dgdmmgpj.exe
2492	Dgdmmgpj.exe
2672	Dqlafm32.exe
2672	Dqlafm32.exe
2404	Dcknbh32.exe
2404	Dcknbh32.exe
2536	Djefobmk.exe
2536	Djefobmk.exe
2428	Eihfjo32.exe
2428	Eihfjo32.exe
2920	Ebpkce32.exe
2920	Ebpkce32.exe
2884	Ekholjqg.exe
2884	Ekholjqg.exe
272	Ejbfhfaj.exe
272	Ejbfhfaj.exe
2384	Fmcoja32.exe
2384	Fmcoja32.exe
1196	Fcmgfkeg.exe
1196	Fcmgfkeg.exe
1184	Fnbkddem.exe
1184	Fnbkddem.exe
2060	Feeiob32.exe
2060	Feeiob32.exe
1844	Fiaeoang.exe
1844	Fiaeoang.exe
1944	Gpknlk32.exe
1944	Gpknlk32.exe
588	Ghmiam32.exe
588	Ghmiam32.exe
2960	Gogangdc.exe
2960	Gogangdc.exe
2068	Hpkjko32.exe
2068	Hpkjko32.exe
1172	Hkpnhgge.exe
1172	Hkpnhgge.exe
1480	Hlcgeo32.exe
1480	Hlcgeo32.exe
1888	Hpocfncj.exe
1888	Hpocfncj.exe
240	Hcnpbi32.exe
240	Hcnpbi32.exe
956	Hjhhocjj.exe
956	Hjhhocjj.exe
2184	Hlfdkoin.exe
2184	Hlfdkoin.exe
1004	Ieqeidnl.exe
1004	Ieqeidnl.exe
884	Idceea32.exe
884	Idceea32.exe
1528	WerFault.exe
1528	WerFault.exe
1528	WerFault.exe
1528	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Djefobmk.exe	Dcknbh32.exe
File created	C:\Windows\SysWOW64\Eihfjo32.exe	Djefobmk.exe
File opened for modification	C:\Windows\SysWOW64\Eihfjo32.exe	Djefobmk.exe
File opened for modification	C:\Windows\SysWOW64\Fmcoja32.exe	Ejbfhfaj.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File opened for modification	C:\Windows\SysWOW64\Dqlafm32.exe	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Iaeldika.dll	Fcmgfkeg.exe
File opened for modification	C:\Windows\SysWOW64\Idceea32.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Gpknlk32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Hnempl32.dll	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Hpkjko32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Pafagk32.dll	Dqlafm32.exe
File opened for modification	C:\Windows\SysWOW64\Djefobmk.exe	Dcknbh32.exe
File opened for modification	C:\Windows\SysWOW64\Ekholjqg.exe	Ebpkce32.exe
File created	C:\Windows\SysWOW64\Facklcaq.dll	Fmcoja32.exe
File created	C:\Windows\SysWOW64\Gpknlk32.exe	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Ghmiam32.exe	Gpknlk32.exe
File created	C:\Windows\SysWOW64\Hpkjko32.exe	Gogangdc.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hlcgeo32.exe
File created	C:\Windows\SysWOW64\Fenhecef.dll	Hcnpbi32.exe
File opened for modification	C:\Windows\SysWOW64\Hlfdkoin.exe	Hjhhocjj.exe
File opened for modification	C:\Windows\SysWOW64\Dcknbh32.exe	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Ambcae32.dll	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Fmcoja32.exe	Ejbfhfaj.exe
File created	C:\Windows\SysWOW64\Fiaeoang.exe	Feeiob32.exe
File created	C:\Windows\SysWOW64\Dcknbh32.exe	Dqlafm32.exe
File created	C:\Windows\SysWOW64\Ebpkce32.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Hkpnhgge.exe	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlfdkoin.exe
File opened for modification	C:\Windows\SysWOW64\Ebpkce32.exe	Eihfjo32.exe
File created	C:\Windows\SysWOW64\Ekholjqg.exe	Ebpkce32.exe
File created	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdmmgpj.exe	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
File created	C:\Windows\SysWOW64\Kcfdakpf.dll	Ebpkce32.exe
File opened for modification	C:\Windows\SysWOW64\Ejbfhfaj.exe	Ekholjqg.exe
File created	C:\Windows\SysWOW64\Pffgja32.dll	Hpkjko32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Idceea32.exe
File created	C:\Windows\SysWOW64\Jfpjfeia.dll	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Fclomp32.dll	Djefobmk.exe
File created	C:\Windows\SysWOW64\Fnbkddem.exe	Fcmgfkeg.exe
File created	C:\Windows\SysWOW64\Gfoihbdp.dll	Fiaeoang.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Dqlafm32.exe	Dgdmmgpj.exe
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Pqiqnfej.dll	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Idceea32.exe
File created	C:\Windows\SysWOW64\Dhflmk32.dll	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Fiaeoang.exe	Feeiob32.exe
File opened for modification	C:\Windows\SysWOW64\Ghmiam32.exe	Gpknlk32.exe
File opened for modification	C:\Windows\SysWOW64\Hkpnhgge.exe	Hpkjko32.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hkpnhgge.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hkpnhgge.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Cmbmkg32.dll	Feeiob32.exe
File created	C:\Windows\SysWOW64\Kifjcn32.dll	Fnbkddem.exe
File opened for modification	C:\Windows\SysWOW64\Gogangdc.exe	Ghmiam32.exe
File created	C:\Windows\SysWOW64\Hllopfgo.dll	Ghmiam32.exe
File opened for modification	C:\Windows\SysWOW64\Fcmgfkeg.exe	Fmcoja32.exe
File opened for modification	C:\Windows\SysWOW64\Feeiob32.exe	Fnbkddem.exe

Program crash 1 IoCs

pid	pid_target	Process
1528	964	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfoihbdp.dll"	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafagk32.dll"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcmgfkeg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifjcn32.dll"	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Idceea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcmgfkeg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllopfgo.dll"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkpnhgge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekholjqg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnempl32.dll"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnbkddem.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hpkjko32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgdmmgpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejbfhfaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiaeoang.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gogangdc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facklcaq.dll"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmcoja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbmkg32.dll"	Feeiob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfdakpf.dll"	Ebpkce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fiaeoang.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqiqnfej.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhflmk32.dll"	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dqlafm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcknbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lghegkoc.dll"	Ejbfhfaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebpkce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gpknlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclomp32.dll"	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjnifgah.dll"	Hkpnhgge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hpkjko32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Idceea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djefobmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ghmiam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codpklfq.dll"	Gogangdc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdoik32.dll"	Eihfjo32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2492	2316	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe	28
PID 2316 wrote to memory of 2492	2316	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe	28
PID 2316 wrote to memory of 2492	2316	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe	28
PID 2316 wrote to memory of 2492	2316	[DemonArchives]086b605fada00eaa39fca0581712f10f.exe	28
PID 2492 wrote to memory of 2672	2492	Dgdmmgpj.exe	29
PID 2492 wrote to memory of 2672	2492	Dgdmmgpj.exe	29
PID 2492 wrote to memory of 2672	2492	Dgdmmgpj.exe	29
PID 2492 wrote to memory of 2672	2492	Dgdmmgpj.exe	29
PID 2672 wrote to memory of 2404	2672	Dqlafm32.exe	30
PID 2672 wrote to memory of 2404	2672	Dqlafm32.exe	30
PID 2672 wrote to memory of 2404	2672	Dqlafm32.exe	30
PID 2672 wrote to memory of 2404	2672	Dqlafm32.exe	30
PID 2404 wrote to memory of 2536	2404	Dcknbh32.exe	31
PID 2404 wrote to memory of 2536	2404	Dcknbh32.exe	31
PID 2404 wrote to memory of 2536	2404	Dcknbh32.exe	31
PID 2404 wrote to memory of 2536	2404	Dcknbh32.exe	31
PID 2536 wrote to memory of 2428	2536	Djefobmk.exe	32
PID 2536 wrote to memory of 2428	2536	Djefobmk.exe	32
PID 2536 wrote to memory of 2428	2536	Djefobmk.exe	32
PID 2536 wrote to memory of 2428	2536	Djefobmk.exe	32
PID 2428 wrote to memory of 2920	2428	Eihfjo32.exe	33
PID 2428 wrote to memory of 2920	2428	Eihfjo32.exe	33
PID 2428 wrote to memory of 2920	2428	Eihfjo32.exe	33
PID 2428 wrote to memory of 2920	2428	Eihfjo32.exe	33
PID 2920 wrote to memory of 2884	2920	Ebpkce32.exe	34
PID 2920 wrote to memory of 2884	2920	Ebpkce32.exe	34
PID 2920 wrote to memory of 2884	2920	Ebpkce32.exe	34
PID 2920 wrote to memory of 2884	2920	Ebpkce32.exe	34
PID 2884 wrote to memory of 272	2884	Ekholjqg.exe	35
PID 2884 wrote to memory of 272	2884	Ekholjqg.exe	35
PID 2884 wrote to memory of 272	2884	Ekholjqg.exe	35
PID 2884 wrote to memory of 272	2884	Ekholjqg.exe	35
PID 272 wrote to memory of 2384	272	Ejbfhfaj.exe	36
PID 272 wrote to memory of 2384	272	Ejbfhfaj.exe	36
PID 272 wrote to memory of 2384	272	Ejbfhfaj.exe	36
PID 272 wrote to memory of 2384	272	Ejbfhfaj.exe	36
PID 2384 wrote to memory of 1196	2384	Fmcoja32.exe	37
PID 2384 wrote to memory of 1196	2384	Fmcoja32.exe	37
PID 2384 wrote to memory of 1196	2384	Fmcoja32.exe	37
PID 2384 wrote to memory of 1196	2384	Fmcoja32.exe	37
PID 1196 wrote to memory of 1184	1196	Fcmgfkeg.exe	38
PID 1196 wrote to memory of 1184	1196	Fcmgfkeg.exe	38
PID 1196 wrote to memory of 1184	1196	Fcmgfkeg.exe	38
PID 1196 wrote to memory of 1184	1196	Fcmgfkeg.exe	38
PID 1184 wrote to memory of 2060	1184	Fnbkddem.exe	39
PID 1184 wrote to memory of 2060	1184	Fnbkddem.exe	39
PID 1184 wrote to memory of 2060	1184	Fnbkddem.exe	39
PID 1184 wrote to memory of 2060	1184	Fnbkddem.exe	39
PID 2060 wrote to memory of 1844	2060	Feeiob32.exe	40
PID 2060 wrote to memory of 1844	2060	Feeiob32.exe	40
PID 2060 wrote to memory of 1844	2060	Feeiob32.exe	40
PID 2060 wrote to memory of 1844	2060	Feeiob32.exe	40
PID 1844 wrote to memory of 1944	1844	Fiaeoang.exe	41
PID 1844 wrote to memory of 1944	1844	Fiaeoang.exe	41
PID 1844 wrote to memory of 1944	1844	Fiaeoang.exe	41
PID 1844 wrote to memory of 1944	1844	Fiaeoang.exe	41
PID 1944 wrote to memory of 588	1944	Gpknlk32.exe	42
PID 1944 wrote to memory of 588	1944	Gpknlk32.exe	42
PID 1944 wrote to memory of 588	1944	Gpknlk32.exe	42
PID 1944 wrote to memory of 588	1944	Gpknlk32.exe	42
PID 588 wrote to memory of 2960	588	Ghmiam32.exe	43
PID 588 wrote to memory of 2960	588	Ghmiam32.exe	43
PID 588 wrote to memory of 2960	588	Ghmiam32.exe	43
PID 588 wrote to memory of 2960	588	Ghmiam32.exe	43

C:\Users\Admin\AppData\Local\Temp\[DemonArchives]086b605fada00eaa39fca0581712f10f.exe
"C:\Users\Admin\AppData\Local\Temp\[DemonArchives]086b605fada00eaa39fca0581712f10f.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\Dgdmmgpj.exe
  C:\Windows\system32\Dgdmmgpj.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\Dqlafm32.exe
    C:\Windows\system32\Dqlafm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\Dcknbh32.exe
      C:\Windows\system32\Dcknbh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2404
    - - C:\Windows\SysWOW64\Djefobmk.exe
        
        C:\Windows\system32\Djefobmk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
      - C:\Windows\SysWOW64\Eihfjo32.exe
        
        C:\Windows\system32\Eihfjo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\SysWOW64\Ebpkce32.exe
        
        C:\Windows\system32\Ebpkce32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ekholjqg.exe
        
        C:\Windows\system32\Ekholjqg.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\SysWOW64\Ejbfhfaj.exe
        
        C:\Windows\system32\Ejbfhfaj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:272
        
        C:\Windows\SysWOW64\Fmcoja32.exe
        
        C:\Windows\system32\Fmcoja32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Fcmgfkeg.exe
        
        C:\Windows\system32\Fcmgfkeg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\SysWOW64\Fnbkddem.exe
        
        C:\Windows\system32\Fnbkddem.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\SysWOW64\Feeiob32.exe
        
        C:\Windows\system32\Feeiob32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2060
        
        C:\Windows\SysWOW64\Fiaeoang.exe
        
        C:\Windows\system32\Fiaeoang.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Gpknlk32.exe
        
        C:\Windows\system32\Gpknlk32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Ghmiam32.exe
        
        C:\Windows\system32\Ghmiam32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\Gogangdc.exe
        
        C:\Windows\system32\Gogangdc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2960
        
        C:\Windows\SysWOW64\Hpkjko32.exe
        
        C:\Windows\system32\Hpkjko32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2068
        
        C:\Windows\SysWOW64\Hkpnhgge.exe
        
        C:\Windows\system32\Hkpnhgge.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Hlcgeo32.exe
        
        C:\Windows\system32\Hlcgeo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:240
        
        C:\Windows\SysWOW64\Hjhhocjj.exe
        
        C:\Windows\system32\Hjhhocjj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:956
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\Ieqeidnl.exe
        
        C:\Windows\system32\Ieqeidnl.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Idceea32.exe
        
        C:\Windows\system32\Idceea32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        27⤵
        Executes dropped EXE
        
        PID:964
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dcknbh32.exe

Filesize
1.9MB

MD5
8867ab372b1eb3e1ecef1123f3155c4e

SHA1
d89ad76677f7550b765748cb890fafcd8567c41e

SHA256
b885f22c6e3a1628931700ada9c5f74f3000bc34ccceb500201b439fd9fee5ab

SHA512
ac0cc7b201e4656ccb597b108c4e37fff32be2b6035597543227d65196d426d500037bee830f843e96a751079741aa20e5bf917b3e91673b70d58570f37383a2

Download Submit
C:\Windows\SysWOW64\Djefobmk.exe

Filesize
1.9MB

MD5
c66f41b3fb7e503eae9246dc142f7793

SHA1
a1cf03bfc4fc05807a204a9ebe895e002de9ff49

SHA256
caf303f5961aa0fbd5db3228381ab03f0a018a15b8fc35f4933d1a2ca07864bc

SHA512
b2c63f3dca4b94850f40831a831f8c3e67c2243574faeaa3e300630373596ef5d619047a6b755f905444ca24d20b38b051f98e5f55daaf128489d7f0de62c39c

Download Submit
C:\Windows\SysWOW64\Dqlafm32.exe

Filesize
1.9MB

MD5
ce4deace32c015e5a3a11082308018a6

SHA1
97b56f91d9ad762339b1b2a3b080f9450b2f9d4c

SHA256
9169d207e1750b59f368abbbe9775081c635e015665561927267708b955a8bad

SHA512
c50648f768fa3372e61fc930a805e5463857b022a3a12108348cca297072b51c99345f271d482ef1e364c94e55a0058826ebebdce0d859f8b4c3eee3126c7969

Download Submit
C:\Windows\SysWOW64\Ebpkce32.exe

Filesize
1.9MB

MD5
8e0a9657e55403aed063dcb4f6451faf

SHA1
9773efc95f9a8bd671ddcca4010fa5c87a4dd2bc

SHA256
98c1084ae8d944e38d17e6877ef5afee53788c5b4aa9841ff1a5798b0b793812

SHA512
651efa2c3835e617c11a378e68713b73d93852d2a8a94b66e01f278573b0db2df3ff7c08372a6d819b54ade9c8b3b40c579fb15a0eadf3a903bd9fba8f14c5ff

Download Submit
C:\Windows\SysWOW64\Fcmgfkeg.exe

Filesize
1.9MB

MD5
b98bc94a0bf78fb2a13c19405bef594c

SHA1
59c3a38c8ac1181e4b2a36316e7e80ab3637889d

SHA256
276a8d689eec7c278d80ff328fa3c90c7a14ea50baff3be1661646486fa74d18

SHA512
7e18b2132812f4290f769da5412a9ed3bb23546f8d86a79772afd696315a5cb771a43522edcacbdc6d0556103eb98128e9e841aab5a1d8e6aec9dc12d9093e89

Download Submit
C:\Windows\SysWOW64\Feeiob32.exe

Filesize
1.9MB

MD5
6d59a1bc14f22f508c6975f2ebfb5db0

SHA1
f912d44c34e0cbe6b8187143edd98f04268b7253

SHA256
5680784334ebc4b3772dd3db814542319489d329f71bc570a85aa214b0db7111

SHA512
520783d4c87f8c9b4b530faed8af7f76689c4f6f5b05b484e38c70cecc22d0c40d35c785d0cc0c5861afec4fb6bc86a0701505a20e98622dc5048ddbca8a6d06

Download Submit
C:\Windows\SysWOW64\Fiaeoang.exe

Filesize
1.9MB

MD5
da8770c158455e621cf01047a1721cf9

SHA1
8a02c037ab6f1d11fc0ba44fd1522c7242d20be5

SHA256
3f743c0c9c2c956e4e469c40000f2f3fe61090deb677e856e1860726122740c9

SHA512
17ebd3e3ddbeb3fc237a8e24603b2bd5c9df1fe3b5a99874c082a036cc460009e4f6f87fab65647536533224b58290bcc370eeaf9662af399af9d8ffc4f1e55d

Download Submit
C:\Windows\SysWOW64\Fmcoja32.exe

Filesize
1.9MB

MD5
5e549e0aea0b1ed4cd3eae480e29c3af

SHA1
2a689df8cbb10828f2e19440a62ecb32be506874

SHA256
c812222bb374940ad7eb0d3b5bdbe66d48fd7c125ebb70d264861a1a0a05076f

SHA512
2d0014b45205577d1152dbb996bb79072c332f43246b83fd981fc31d7f916833e67f7620aa1431334ccd6dcd4bf42a05f5e3fed7f607bcec8370d1aedb104926

Download Submit
C:\Windows\SysWOW64\Ghmiam32.exe

Filesize
1.9MB

MD5
b92d22686c5762cfcd55d2e27e90549a

SHA1
e065df3c9d01a341527c8cbc1652ff9b77a94da2

SHA256
58c40a1a140df61c5baf7239ed905be10af7a1a1b4c40483accffe382079a605

SHA512
769796cdbdd6de9510a9930cf0a5ce11898523b937b8e131e0029b5bd0bcd9bdd31f2105bc929e698c62ec69926bab801be7bf39e0e1c2290225c227f8272abe

Download Submit
C:\Windows\SysWOW64\Gogangdc.exe

Filesize
1.9MB

MD5
2abd062573da93707f2aa08f90d902b2

SHA1
2ea144f0023f20c7ed232320f9fc3d4db9fc1491

SHA256
fe18736cdddb4cbfe0f48a2c0f09dbf77897189c2a59c27dfa78ce5139ff7481

SHA512
75887d4b2ce9388020a38f8425f75cff52e2b99511198c297dab91e284fed52cbc8e4843e5486ced03ffa8a8e9ec253e3c5d42ffba5ff4657793e38b01a007ee

Download Submit
C:\Windows\SysWOW64\Gpknlk32.exe

Filesize
1.9MB

MD5
ec8f8d489d182b10cafc0db6ffac5cfa

SHA1
21940f4bd7f8f62947e1b3c719cfe8c07be7cbe4

SHA256
cdf4f68afa1bf41d9ef4ccd1c4c460d0490c367a5a0f9119f3ebe6de23ffef53

SHA512
efbfe83f4a750a5339140bebe715bed2b52a09b3d8c607ada05a2fd7f11853df3bad5d9bfd4e4e3b4c600a9fe581ecc6feb6565c65dd38f4bbd798810798254e

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
1.9MB

MD5
301889d7528e27d92e42be1407eb1802

SHA1
2ef5e637d566f714b0bccfbd7a5c43ff2369b44e

SHA256
514176088f7d47e66492fc5c315685bc2ac1d46e332c371ba7e4497fdb97a8ef

SHA512
2178654831e07225df3612bc3689edb7c86c5f5bef0f10cbb4bbc6c0e671b754990efe6272bac558bdffaefd1cbf4d8e386b62b828147e13ff503872195014f1

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe

Filesize
1.9MB

MD5
cc484d1914109f1d3986abf9c57ad05a

SHA1
5e1c2a7289409ec1b6fde7d400e107c571481fef

SHA256
f9022c8e75d5d01daa871b57227079b1dd8967f0de0d240483de43f8010545ba

SHA512
5ba184516427c49528e83031af3e16a66417e90af2c67efdc5f7e345ab6d4b3dc34acc423a55011930a0aa68d4e5641b34a8da9b8515dd775b62f29d63c9f687

Download Submit
C:\Windows\SysWOW64\Hkpnhgge.exe

Filesize
1.9MB

MD5
a6e85b8e0d62884a950b62a3c85abfd3

SHA1
d55f2a5c98eba1b3dd7dc1274fa2873ce314e2af

SHA256
50b77b8438f857ce98326ec7e2ed8820a33ef76cbbfcfbda3f8170ae052ffff5

SHA512
b6679b3ab5c38b2edb362d82d78d5f696e0729b0cb55ff3811034547a87981e5d90b5276b0f1a40b44f6978b5d325bb53e480bdc4e52001d648d0750cf8268fb

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe

Filesize
1.9MB

MD5
c88fb5a01131179b69374643297bec0c

SHA1
a3a95e852a787264cbb15148431723b34c0a7289

SHA256
a06b74f071deee9eda87685eea1928994435bf29e55ecfcbafe72db812240193

SHA512
c3e05761682939964878899e76bbe465a491b9c6ace1c9f8dbe9631acafda0690647dbb432f715e5ebcaddbef505b4416ea06ff0d3814515bbed2cf21cf3bddd

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
1.9MB

MD5
24b8fb15142b3470f484051eab32b03a

SHA1
443f8837dba66654807497dcfc088733ca875a22

SHA256
820d9d1f80dcd281ca627ecaded24dc694925f93131f96b2cd418bee6fb9b970

SHA512
8e9d5502feb66f764e57b607d29043a5d1b86d177aeb2f1140bfd075880660a6ed33d796c1fa69795257b9ae5aae9f4d7449cf2b87f723e22439451c289fbcfe

Download Submit
C:\Windows\SysWOW64\Hpkjko32.exe

Filesize
1.9MB

MD5
0ebf14a5167df8f5e92e6b1ea3afa570

SHA1
d66793f7081070b487b7ac614a6c5df59eeeb835

SHA256
92155fe93104f91084dd7faf27d9b7de906dda6c3a583b98847de6622ad6028f

SHA512
238d9b80336e639d0bf8605c4d8407ecac2c1a51c0df26c0b182818eb55917d0b6ae38e45a9b0bb072cded66356364f31d99ed24bb75bdcd3c910c5da4efbda1

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
1.9MB

MD5
8bf60bf30f42921453ed9e2b67368663

SHA1
d821e0a4bd57456eae872e56742355b331664d35

SHA256
9e9d1852f0032efe1fba209ef16dbb0709b9561153dd8563a222db4bbf7fd6be

SHA512
f76bb400255598ad2050486fcbdf966f320513b19f7b08f3fc096b8941628f3d82fd9822665d16d99751da2d2a22ee60ce7d4cba5df877c3863f7f1f788cef6f

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
1.9MB

MD5
343cec278c310c4b74f74338b59cc509

SHA1
a26ebfbf7638976be91cb3e588546ff9dacbc153

SHA256
a89868098ea0bc97a38b660872964713e97a1766d4238f978e762e2ab31fcfe4

SHA512
ff725261d4965a1d2778a2c7889bcdea919adede8c0d523e400323edb7e98c11403c404302cc8a3ac61782c1803b9f934d6adaacbce94723168137ca3f994d5b

Download Submit
C:\Windows\SysWOW64\Idceea32.exe

Filesize
1.9MB

MD5
87efa7822794f8eb7aa271a82ef84675

SHA1
8d36d3b921ac2ede77a3ed552fff6c85c099a435

SHA256
9352591bee88898615e8de318a8824677f0fe9756b840d00f6d53393467143c4

SHA512
56016bdf6d2001fe6d82bd11d8605adfb2547c314c40fe458421357adbb8bb94dee5b72080676eb7a432ee7c4bbcbc4c6325c9f1d4e9207a84658ea9efa68ce6

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe

Filesize
1.9MB

MD5
4afb00b1190b0c96a8ae8afd5898934a

SHA1
4915475f6cd12a39280399b00aff94f1e07b92ed

SHA256
874861ee99cfb16bf28ecf50aa72c7716f17fe666c6cc459e4227772b7b3b52a

SHA512
3c6b16079498e4549ab480d8c07651042b92da69e26cbcb0ead545d5f5b5a7f98e90a0f261fe6df0269add4eced320ce1b6ed7c4949666203129fb968ea8f21c

Download Submit
\Windows\SysWOW64\Dgdmmgpj.exe

Filesize
1.9MB

MD5
c387e64c7f8974edd6bbe0a6df128683

SHA1
41a1474872e2658738795975ce6c38bcd571f353

SHA256
219268fd782bfcb7e6d8b58909c0e76665a18e696b29f12312b4c1c1bc35e6f3

SHA512
98d6d26e7bd074483b897c422193b8f921e6d6f38c0631a3468ded7ac2a6e48ba14ee9b72c5f8d1fd82ffdb474326e56f0c6dcf84dc01955400d4953879f23f8

Download Submit
\Windows\SysWOW64\Eihfjo32.exe

Filesize
1.9MB

MD5
2e09db57555efa70f2be78c8359c3ec0

SHA1
3fa4bf61e76827f38eab51cd32e33fb1598480f3

SHA256
e94debf30c9bd01bc81e74b09517d5eceff4645def5705305dd219de377d6957

SHA512
ed7aee269bd5d1baa95471d4fa07c5a8af87879bf5913d3c3cf9c7982b685d61b5a7f562e8923192fe1d94c1a440e5656e30d913a2cbef59c9c6a6bfe32c5ad2

Download Submit
\Windows\SysWOW64\Ejbfhfaj.exe

Filesize
1.9MB

MD5
372a9f171d847c16d61b2aa94876f56c

SHA1
7f1a01bbfae4473cb7216e929a10f950e96a8c7e

SHA256
1688e91b3ad6f6c019532e3b9ed02b5397a5a5ff186c97d695ae675bf2b3e9e6

SHA512
9b8988e04d35511e02b8dab51d2cc1a25b3f37d7cda8205638219f9d288e5f44e98edad322e7af17d497352251440ee1f046ddd700a4a655f4ed281aa3582e3a

Download Submit
\Windows\SysWOW64\Ekholjqg.exe

Filesize
1.9MB

MD5
c960fd8ef1ef879d756bd76ee7b08762

SHA1
58647ce8b37286350d3c8a945d6a725f58b534c5

SHA256
c5823f0948b623fc132ea197735922f1f729d2faa851355f39aab051d5f9dc79

SHA512
b24f29af35634fc834e945f50f1a900eb30fb15e8ce90cddc3ce7392cc214d5d2d14b7ca3dab828981c91521ddbeb621cbca255d2c141c395228470e2e172368

Download Submit
\Windows\SysWOW64\Fnbkddem.exe

Filesize
1.9MB

MD5
940fe8d37c69a0aa4ee8c96faedd23f6

SHA1
adb22cb3ab77f452720392542e099782c75281fa

SHA256
b7a8b5a17f79c4872d00ca6a377679b54d91598dc54b9e66277c939c1729d95c

SHA512
a43b27cb707c4b123ab6fd07f0caeeb4e11aa60e5626b24aca2296c9bd80b30362acb62a40ae9688c36f6c4379bd640d11d448349b0687f0d658dcc7ac82f2bb

Download Submit
memory/240-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/240-288-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/240-287-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/272-129-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/272-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/272-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/272-128-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/588-223-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/588-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/588-224-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/884-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-331-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/884-330-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/884-324-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-298-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/956-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/956-297-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/956-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-319-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1004-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1004-320-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1172-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1184-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1196-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-266-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1480-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1480-265-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1844-191-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1844-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-196-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1888-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-281-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1888-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2060-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2068-246-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2068-245-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2184-312-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2184-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2184-313-0x00000000002E0000-0x0000000000313000-memory.dmp

Filesize
204KB

Download
memory/2184-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-13-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2316-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-11-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/2384-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-142-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2384-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-143-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2404-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-62-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2404-63-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2404-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2428-85-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/2428-78-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-28-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2492-14-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-27-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/2492-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2536-66-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2672-43-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2672-30-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2672-42-0x0000000000310000-0x0000000000343000-memory.dmp

Filesize
204KB

Download
memory/2884-113-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2884-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2884-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads