34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
05/07/2024, 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Size

93KB
MD5

d2f515181ef790fd59c793f4f571fa10
SHA1

fdb6ed3b23955a2ec56893d583ed5a626cdd995d
SHA256

34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1
SHA512

4e32e1ee5e73149bbc08b9be6f65f61bf5c6916a4fa44ee9a95ac67753e07ab4adf469ed232f0b1ebc3112966f825c538129eaa78142aadeb82a71a915d2dbef
SSDEEP

1536:ODmM7Zq3zIqBKitDn5Z6WCMLRTHijiwg58:ODxZmIgXtDn5UnCRaY58

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 48 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ihoafpmp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hicodd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Geolea32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hnagjbdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ggpimica.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Goddhg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hjjddchg.exe

Executes dropped EXE 24 IoCs

pid	Process
2108	Ghfbqn32.exe
2676	Gieojq32.exe
2620	Gldkfl32.exe
2576	Gaqcoc32.exe
2464	Goddhg32.exe
2024	Geolea32.exe
1692	Ggpimica.exe
772	Gaemjbcg.exe
1652	Gddifnbk.exe
2336	Hgbebiao.exe
2400	Hdfflm32.exe
788	Hicodd32.exe
2208	Hpmgqnfl.exe
3052	Hggomh32.exe
2600	Hnagjbdf.exe
2144	Hpocfncj.exe
1696	Hcnpbi32.exe
1468	Hlfdkoin.exe
1836	Hcplhi32.exe
312	Hjjddchg.exe
1056	Icbimi32.exe
2288	Iaeiieeb.exe
2792	Ihoafpmp.exe
3028	Iagfoe32.exe

Loads dropped DLL 52 IoCs

pid	Process
2836	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
2836	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
2108	Ghfbqn32.exe
2108	Ghfbqn32.exe
2676	Gieojq32.exe
2676	Gieojq32.exe
2620	Gldkfl32.exe
2620	Gldkfl32.exe
2576	Gaqcoc32.exe
2576	Gaqcoc32.exe
2464	Goddhg32.exe
2464	Goddhg32.exe
2024	Geolea32.exe
2024	Geolea32.exe
1692	Ggpimica.exe
1692	Ggpimica.exe
772	Gaemjbcg.exe
772	Gaemjbcg.exe
1652	Gddifnbk.exe
1652	Gddifnbk.exe
2336	Hgbebiao.exe
2336	Hgbebiao.exe
2400	Hdfflm32.exe
2400	Hdfflm32.exe
788	Hicodd32.exe
788	Hicodd32.exe
2208	Hpmgqnfl.exe
2208	Hpmgqnfl.exe
3052	Hggomh32.exe
3052	Hggomh32.exe
2600	Hnagjbdf.exe
2600	Hnagjbdf.exe
2144	Hpocfncj.exe
2144	Hpocfncj.exe
1696	Hcnpbi32.exe
1696	Hcnpbi32.exe
1468	Hlfdkoin.exe
1468	Hlfdkoin.exe
1836	Hcplhi32.exe
1836	Hcplhi32.exe
312	Hjjddchg.exe
312	Hjjddchg.exe
1056	Icbimi32.exe
1056	Icbimi32.exe
2288	Iaeiieeb.exe
2288	Iaeiieeb.exe
2792	Ihoafpmp.exe
2792	Ihoafpmp.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe
596	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hcnpbi32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Ghfbqn32.exe	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Hgbebiao.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hdfflm32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hnagjbdf.exe
File created	C:\Windows\SysWOW64\Pfabenjd.dll	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hgbebiao.exe	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Hicodd32.exe
File opened for modification	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Enlbgc32.dll	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Gaqcoc32.exe	Gldkfl32.exe
File created	C:\Windows\SysWOW64\Qhbpij32.dll	Gaqcoc32.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Geolea32.exe	Goddhg32.exe
File created	C:\Windows\SysWOW64\Phofkg32.dll	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Hkkmeglp.dll	Hdfflm32.exe
File created	C:\Windows\SysWOW64\Hggomh32.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hlfdkoin.exe	Hcnpbi32.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Iaeiieeb.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Gcaciakh.dll	Ggpimica.exe
File opened for modification	C:\Windows\SysWOW64\Hdfflm32.exe	Hgbebiao.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Ghfbqn32.exe	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
File created	C:\Windows\SysWOW64\Ggpimica.exe	Geolea32.exe
File created	C:\Windows\SysWOW64\Jjcpjl32.dll	Gddifnbk.exe
File created	C:\Windows\SysWOW64\Khejeajg.dll	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Gldkfl32.exe	Gieojq32.exe
File created	C:\Windows\SysWOW64\Pnnclg32.dll	Gieojq32.exe
File opened for modification	C:\Windows\SysWOW64\Hicodd32.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Icbimi32.exe	Hjjddchg.exe
File created	C:\Windows\SysWOW64\Dbnkge32.dll	Goddhg32.exe
File created	C:\Windows\SysWOW64\Gddifnbk.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Bhpdae32.dll	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Kjpfgi32.dll	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
File created	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Ecmkgokh.dll	Hjjddchg.exe
File opened for modification	C:\Windows\SysWOW64\Ggpimica.exe	Geolea32.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hnagjbdf.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Iaeiieeb.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hlfdkoin.exe
File created	C:\Windows\SysWOW64\Mhfkbo32.dll	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Iaeiieeb.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Goddhg32.exe	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Njgcpp32.dll	Geolea32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Ggpimica.exe
File created	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Gieojq32.exe	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Lkoabpeg.dll	Ghfbqn32.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Gldkfl32.exe
File opened for modification	C:\Windows\SysWOW64\Hjjddchg.exe	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Iaeiieeb.exe	Icbimi32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Hicodd32.exe
File created	C:\Windows\SysWOW64\Gmibbifn.dll	Icbimi32.exe
File opened for modification	C:\Windows\SysWOW64\Gddifnbk.exe	Gaemjbcg.exe
File created	C:\Windows\SysWOW64\Hicodd32.exe	Hdfflm32.exe
File opened for modification	C:\Windows\SysWOW64\Hnagjbdf.exe	Hggomh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
596	3028	WerFault.exe	51

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghfbqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gddifnbk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hdfflm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhpdae32.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hnagjbdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpfgi32.dll"	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Geolea32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phofkg32.dll"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ggpimica.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hdfflm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpij32.dll"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnkge32.dll"	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hicodd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnnclg32.dll"	Gieojq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Iaeiieeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghfbqn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Goddhg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khejeajg.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hlfdkoin.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hjjddchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gieojq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfabenjd.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfkbo32.dll"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gldkfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hgbebiao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hlfdkoin.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Iaeiieeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcpjl32.dll"	Gddifnbk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmkgokh.dll"	Hjjddchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmibbifn.dll"	Icbimi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Gldkfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiogaqdb.dll"	Hcnpbi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgcpp32.dll"	Geolea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hggomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enlbgc32.dll"	Hggomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hcnpbi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Icbimi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkoabpeg.dll"	Ghfbqn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2108	2836	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe	28
PID 2836 wrote to memory of 2108	2836	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe	28
PID 2836 wrote to memory of 2108	2836	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe	28
PID 2836 wrote to memory of 2108	2836	34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe	28
PID 2108 wrote to memory of 2676	2108	Ghfbqn32.exe	29
PID 2108 wrote to memory of 2676	2108	Ghfbqn32.exe	29
PID 2108 wrote to memory of 2676	2108	Ghfbqn32.exe	29
PID 2108 wrote to memory of 2676	2108	Ghfbqn32.exe	29
PID 2676 wrote to memory of 2620	2676	Gieojq32.exe	30
PID 2676 wrote to memory of 2620	2676	Gieojq32.exe	30
PID 2676 wrote to memory of 2620	2676	Gieojq32.exe	30
PID 2676 wrote to memory of 2620	2676	Gieojq32.exe	30
PID 2620 wrote to memory of 2576	2620	Gldkfl32.exe	31
PID 2620 wrote to memory of 2576	2620	Gldkfl32.exe	31
PID 2620 wrote to memory of 2576	2620	Gldkfl32.exe	31
PID 2620 wrote to memory of 2576	2620	Gldkfl32.exe	31
PID 2576 wrote to memory of 2464	2576	Gaqcoc32.exe	32
PID 2576 wrote to memory of 2464	2576	Gaqcoc32.exe	32
PID 2576 wrote to memory of 2464	2576	Gaqcoc32.exe	32
PID 2576 wrote to memory of 2464	2576	Gaqcoc32.exe	32
PID 2464 wrote to memory of 2024	2464	Goddhg32.exe	33
PID 2464 wrote to memory of 2024	2464	Goddhg32.exe	33
PID 2464 wrote to memory of 2024	2464	Goddhg32.exe	33
PID 2464 wrote to memory of 2024	2464	Goddhg32.exe	33
PID 2024 wrote to memory of 1692	2024	Geolea32.exe	34
PID 2024 wrote to memory of 1692	2024	Geolea32.exe	34
PID 2024 wrote to memory of 1692	2024	Geolea32.exe	34
PID 2024 wrote to memory of 1692	2024	Geolea32.exe	34
PID 1692 wrote to memory of 772	1692	Ggpimica.exe	35
PID 1692 wrote to memory of 772	1692	Ggpimica.exe	35
PID 1692 wrote to memory of 772	1692	Ggpimica.exe	35
PID 1692 wrote to memory of 772	1692	Ggpimica.exe	35
PID 772 wrote to memory of 1652	772	Gaemjbcg.exe	36
PID 772 wrote to memory of 1652	772	Gaemjbcg.exe	36
PID 772 wrote to memory of 1652	772	Gaemjbcg.exe	36
PID 772 wrote to memory of 1652	772	Gaemjbcg.exe	36
PID 1652 wrote to memory of 2336	1652	Gddifnbk.exe	37
PID 1652 wrote to memory of 2336	1652	Gddifnbk.exe	37
PID 1652 wrote to memory of 2336	1652	Gddifnbk.exe	37
PID 1652 wrote to memory of 2336	1652	Gddifnbk.exe	37
PID 2336 wrote to memory of 2400	2336	Hgbebiao.exe	38
PID 2336 wrote to memory of 2400	2336	Hgbebiao.exe	38
PID 2336 wrote to memory of 2400	2336	Hgbebiao.exe	38
PID 2336 wrote to memory of 2400	2336	Hgbebiao.exe	38
PID 2400 wrote to memory of 788	2400	Hdfflm32.exe	39
PID 2400 wrote to memory of 788	2400	Hdfflm32.exe	39
PID 2400 wrote to memory of 788	2400	Hdfflm32.exe	39
PID 2400 wrote to memory of 788	2400	Hdfflm32.exe	39
PID 788 wrote to memory of 2208	788	Hicodd32.exe	40
PID 788 wrote to memory of 2208	788	Hicodd32.exe	40
PID 788 wrote to memory of 2208	788	Hicodd32.exe	40
PID 788 wrote to memory of 2208	788	Hicodd32.exe	40
PID 2208 wrote to memory of 3052	2208	Hpmgqnfl.exe	41
PID 2208 wrote to memory of 3052	2208	Hpmgqnfl.exe	41
PID 2208 wrote to memory of 3052	2208	Hpmgqnfl.exe	41
PID 2208 wrote to memory of 3052	2208	Hpmgqnfl.exe	41
PID 3052 wrote to memory of 2600	3052	Hggomh32.exe	42
PID 3052 wrote to memory of 2600	3052	Hggomh32.exe	42
PID 3052 wrote to memory of 2600	3052	Hggomh32.exe	42
PID 3052 wrote to memory of 2600	3052	Hggomh32.exe	42
PID 2600 wrote to memory of 2144	2600	Hnagjbdf.exe	43
PID 2600 wrote to memory of 2144	2600	Hnagjbdf.exe	43
PID 2600 wrote to memory of 2144	2600	Hnagjbdf.exe	43
PID 2600 wrote to memory of 2144	2600	Hnagjbdf.exe	43

C:\Users\Admin\AppData\Local\Temp\34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe
"C:\Users\Admin\AppData\Local\Temp\34582114fb0f2d375ca186bfd6ee08c17de17b8bcda854a34a55f018ba1f38f1.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\SysWOW64\Ghfbqn32.exe
  C:\Windows\system32\Ghfbqn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\Gieojq32.exe
    C:\Windows\system32\Gieojq32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\Gldkfl32.exe
      C:\Windows\system32\Gldkfl32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2620
    - - C:\Windows\SysWOW64\Gaqcoc32.exe
        
        C:\Windows\system32\Gaqcoc32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\SysWOW64\Goddhg32.exe
        
        C:\Windows\system32\Goddhg32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\SysWOW64\Geolea32.exe
        
        C:\Windows\system32\Geolea32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Ggpimica.exe
        
        C:\Windows\system32\Ggpimica.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Gaemjbcg.exe
        
        C:\Windows\system32\Gaemjbcg.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:772
        
        C:\Windows\SysWOW64\Gddifnbk.exe
        
        C:\Windows\system32\Gddifnbk.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\SysWOW64\Hgbebiao.exe
        
        C:\Windows\system32\Hgbebiao.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Hdfflm32.exe
        
        C:\Windows\system32\Hdfflm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Hicodd32.exe
        
        C:\Windows\system32\Hicodd32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\SysWOW64\Hpmgqnfl.exe
        
        C:\Windows\system32\Hpmgqnfl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Hggomh32.exe
        
        C:\Windows\system32\Hggomh32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Hnagjbdf.exe
        
        C:\Windows\system32\Hnagjbdf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Hpocfncj.exe
        
        C:\Windows\system32\Hpocfncj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Hcnpbi32.exe
        
        C:\Windows\system32\Hcnpbi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Hlfdkoin.exe
        
        C:\Windows\system32\Hlfdkoin.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\Hcplhi32.exe
        
        C:\Windows\system32\Hcplhi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1836
        
        C:\Windows\SysWOW64\Hjjddchg.exe
        
        C:\Windows\system32\Hjjddchg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Icbimi32.exe
        
        C:\Windows\system32\Icbimi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\Iaeiieeb.exe
        
        C:\Windows\system32\Iaeiieeb.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Ihoafpmp.exe
        
        C:\Windows\system32\Ihoafpmp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2792
        
        C:\Windows\SysWOW64\Iagfoe32.exe
        
        C:\Windows\system32\Iagfoe32.exe
        25⤵
        Executes dropped EXE
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 140
        26⤵
        Loads dropped DLL
        Program crash
        
        PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ghfbqn32.exe

Filesize
93KB

MD5
f5cb420cc6390bfe43bce2723e98b255

SHA1
f31eafd75c6e59385e1d6c34ddbe9e8fb87ae0cd

SHA256
0cba0dd1ca8c51c08fb53be5ae0ae68a996dce9a228f23207e84ef90481a689c

SHA512
f88923d04f21077f9b864ed5cf0f206a1098bfb4a50c367aad8de6857132fd11bc62872752a3e300ae227b274cf8f9cde0f426427071ebe6e417085e58bf2c2d

Download Submit
C:\Windows\SysWOW64\Hcnpbi32.exe

Filesize
93KB

MD5
eb4b9d3078525ad3988d81e451c43063

SHA1
7575df3fc1b4905bc273edd7f9ea68ba8cd47b3e

SHA256
70d91a94b7b7bd39614aaf82be9592753ea1f2f7b07eb71e92bc5dc16c6b64b3

SHA512
b92ffeeb410b361cf91d5b00edca1bbe0c54d6e36516100c2e6d9de3170b889a0aecf15777feff9be3bac32278e83c83c8e6e9668ad1ff4fdaf93ef26beb05b3

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe

Filesize
93KB

MD5
b729eac35740c6efce21f11bf8d5219a

SHA1
73fc160714b15480b625eca11345293e0d486134

SHA256
b9dad55a050ad7d3625cd09d5efafc012ea349b1c02cb934213e178a6188ac49

SHA512
1b66abdd0ea2ad22c1cdf290ee4787daf583bdfac5d36d26a2b0affb0e422bfe19be9820087aad4dc05e2ddcb6c387cc92af4c299be31c7182aaaabe1c4a551d

Download Submit
C:\Windows\SysWOW64\Hjjddchg.exe

Filesize
93KB

MD5
3efd4f329ac509a1b5172d237d0f4eb7

SHA1
f386911c8889ca9bc63d0717730259e86754a120

SHA256
293d606823f2816f1d6022dae4fdeb78c9e90018bda43592022d3f796e1cb557

SHA512
c28f769bdb5bd1ea79ff4f2c842e8ad3f83d01c4096e7c883e7ef733dc064a36e9bcbf965785eb9d99e166285b2e56e7e7e01e16615d694dde70836fbc6a4c48

Download Submit
C:\Windows\SysWOW64\Hlfdkoin.exe

Filesize
93KB

MD5
a4837a7bd8a238cdb8e73ce6f5fe7d4f

SHA1
f264ca91f41766707b5e76ca7d7c5003f26d5ce3

SHA256
f050ec2eb3b03e30c8553a3d2404f25970eceebc1e7c5dd1e89c082f0ceb6585

SHA512
98c1d77632ef90414a7be5b8f5557ffc1c056f3ff8a1c485ab8d725045262db472ed16aa2862cde07f6d6e7571191ec745dc890d39ae837e4e3ae32908ee2b53

Download Submit
C:\Windows\SysWOW64\Hpocfncj.exe

Filesize
93KB

MD5
4b37b5abb33bcff0440bfafc16f9c377

SHA1
639e8e51a570ec5b6a64530661d871fea41fc125

SHA256
9505bf00fa83fdb8255d2af54784b5708dbd81ee981fa4ef6fae55516156176c

SHA512
2715c243f3031270e40c198146631596d113b8d57567729e1e1b1b1f0fd5bd8c7276f69185c0b8433d99557753bf14d07d317c5bfb6542e5adb7e0197e475962

Download Submit
C:\Windows\SysWOW64\Iaeiieeb.exe

Filesize
93KB

MD5
f8f5842aed587ed1ff6ede21a78c8e22

SHA1
a172f6e22d278040bd04460c86dbd799277f99c8

SHA256
8d4e41556ea55180df8d73157e5117ab60603f5680ca16e44b02d597d360493f

SHA512
70afa3b8efb32b2b0cb09726546105aa278c8559d61e864d21aa550a0e528e89f05257e0e21b41a90866638932aa314a942f875dcd934fda4cd3e77b120c487e

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe

Filesize
93KB

MD5
2a4cc5f59b9b8387da878cc0bd593221

SHA1
fc68af12c8a31c2f880bd922fed722ee821666c2

SHA256
fa5c0a4a4ac65a5094fdce3fbed53fd340f412ab4fc6f223e5c7938f9be14e27

SHA512
40da7b0204a3d7c0159edb45e6c08f580c8559ec300c1bf12b83c4a7acbaf739abd959b34d23e4e96758b11cd61f08565987148e181ce12352547bacce746912

Download Submit
C:\Windows\SysWOW64\Icbimi32.exe

Filesize
93KB

MD5
c4eb7cd7ef50c3e8a3469cad56498927

SHA1
4533c776b6e08747ba6efc2e13d12247e67c5e86

SHA256
14d5014edffd81b260627735aae1e81a3fa1f0ee4bc6918afb159ba602dc1a14

SHA512
ad31b15775f37a40e74109f3d862901b869de8113df727d94bf1c2185508768d7f8fb6bb1c2380da2a33ac931da98949022ece2610fbc6b8d4d0280c403a60ad

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe

Filesize
93KB

MD5
3c27cb1a979e4857c50e111f5c2349ab

SHA1
61f9bb942bdab66ef62ea78c713c556840d699ce

SHA256
7ba9e0eb696d86fd786286a38cd329d9a5a75b4557c8ea8a37b75288f2695c73

SHA512
df956a53aa140d446b4aeeabe0611c1a90fd07d9d8534b4bfdd3ace4bf3894fe8afe66f92d366386e4195f557cd16acb733c1b69d722c2db83e4c62f7a8b03f0

Download Submit
C:\Windows\SysWOW64\Qhbpij32.dll

Filesize
7KB

MD5
5a486ec41ed935d0e4b4d0ed567fa9fd

SHA1
7b69f7926d15c2831e58acad67ed465d324b61d2

SHA256
774197d7ffbb54173811666755481ba2f1d1dd091206b7b671876fae918803c9

SHA512
ab09d79e72b2fa79e037ccbb17bc3230b2913163be45449a4e94dc39d422e6b092656ee81872e56bdbc528365a313622406049ad2ab5af3975a889264c04142f

Download Submit
\Windows\SysWOW64\Gaemjbcg.exe

Filesize
93KB

MD5
f60e725beffa1a823b8f01aa56731234

SHA1
87572a158f65bf98447ccb95ca01fd8e1c9eafd9

SHA256
81bb2c6831c34039be876c4ab1c078d8fb1b07da7a785290bcf4aeb854e66823

SHA512
e1e3ccd6c4bfb1b4569a4ed5e562e2e568e531662a096e1c6e054355192cd13daec657290eac6840d06425b620e9c50eecfc242878bca9a20662f6a987b3c5a3

Download Submit
\Windows\SysWOW64\Gaqcoc32.exe

Filesize
93KB

MD5
916a546da0e1f77ec6e5474e6b1132e9

SHA1
1d9e2b695e4b382e558635d73b6896ee2a709dcb

SHA256
e72cbb4dbc5fec5b06dc6c6d8b3a5da87d864c1f2e4d05a17923dc9f41f9b520

SHA512
d233de2ca5962689e1598f5b910c95d79defcd9ae322ed8500604f4c9324120a7ee45f6c6bab20b6a4568563f6284905fb4699f33ff9f41334ef4edf8189fe3c

Download Submit
\Windows\SysWOW64\Gddifnbk.exe

Filesize
93KB

MD5
6acc044c7db91dae3a1f64a1b14f91f1

SHA1
5d7eb24388f0721bc912b720621812f851da109f

SHA256
79ce0e504bb4b13dfe7698f8dc3d083fa118cfa5e354c648eeb8a85b32a27c5d

SHA512
dc89896816ae07bacc38fb275df28a9eb06b2c465320fdb642bc8c880cd5613d30839c3751368b5c453f4fa2b7b9c2aa7bdef58799fc47a478fb94093376374a

Download Submit
\Windows\SysWOW64\Geolea32.exe

Filesize
93KB

MD5
1a0dac304cff724f8ea3e82705a9b813

SHA1
76375d30e658ae2d7ab6c2de593dbc8a66fdd58a

SHA256
4957f6d49db658ca63e2439abcbc63129f8623f04aec2f6f312cebb37f6b422d

SHA512
35613c479bb5272eae5487123792f610403f714f87e38658946932285fc32727968211ff1a4e8977477c8f4c7d981834c39ad6c1723aac034fd1add6ae75f1a4

Download Submit
\Windows\SysWOW64\Ggpimica.exe

Filesize
93KB

MD5
64730ffa5d3d803ca3ceee624d209f5a

SHA1
f4d826295a3eb260f94dc181ea5c8b62d514398b

SHA256
13c96efa48cd2f2a01b7bfb31a1464affba589fc3de310a7653242646a0f57a4

SHA512
46219868f8438bf22d39bca71ba3af6ecba538e6be59b398da7d25d567575cb9ffe5b54b1b667dea0274d69edbc48ff18a882b5a26e1cb5dcedab06e17056aa2

Download Submit
\Windows\SysWOW64\Gieojq32.exe

Filesize
93KB

MD5
e48250ac693adad717f0304f3b065c91

SHA1
01a682c5fa267b5ce647b3183ada7639b6b5b228

SHA256
69e18126e6f16d9d712001caa7aa2e219838b66ae764e3883f0c977af92a8575

SHA512
79275340114f913503813ed1b9a80d3917d9b64a763d47728ce9d3979ff99c4b4ab65202a0d2ca222e75135d0b2f563bf83183b90cedeacd3fc3e9bbfc0b7c52

Download Submit
\Windows\SysWOW64\Gldkfl32.exe

Filesize
93KB

MD5
31c4c19352120055ff87a690422aeab1

SHA1
41b5a298bb6b3a9241d70f59ce08ee0784676f4e

SHA256
79adab3d1a0724761c60378b1fb80578013b80684cbcce53ca8e30e1c6f93725

SHA512
32b75f59c2506a7430185f41b279167aaccd0c7deac414a2b86c876973f9b565fabb05e6a355435ce3673c40a11286508956e0ea544fd0718f3a326c4bb687cc

Download Submit
\Windows\SysWOW64\Goddhg32.exe

Filesize
93KB

MD5
bdcf50cbeaa86b3767e47c23889db219

SHA1
fe15a3e3bf195ad511e064c75de7cb9ba3a722f7

SHA256
fd399454a9f1141f188b8d9b7259222ebd41ca44746ac6ec19ced4a11c09d6f5

SHA512
90f3b1fc754059e636f6db1b14bad60169cca1bc64220014a3cc17a48c2ccad36ca73f73092055997a7a3d13e593ec7bc093628890ef4deb2ffdeed204385803

Download Submit
\Windows\SysWOW64\Hdfflm32.exe

Filesize
93KB

MD5
f8e4de02408850e03f233a92eea90fe6

SHA1
b7f563e1919f0153fbf78ab96f6985e285b6b1a1

SHA256
50d87c8761bb9dcb6456b137752df99f225baf922a4e10f454889855ff3a0efa

SHA512
581534e2f72e2f38d1392377b25d1f735b7115bd9955d1ce09e05892a151bef5c3146cd3aebf117ab4f71173d0d0616e2b4bc606ab99e0b10624b40865f083a6

Download Submit
\Windows\SysWOW64\Hgbebiao.exe

Filesize
93KB

MD5
48aa2e73c3610334528531079158eb36

SHA1
9a36773edc9734738c743789b94d2796697e1473

SHA256
91fa1c6994183f36ae9c01ae011c369669f45efcb5512e252e1e53c00fc57abc

SHA512
8e170e793b6a6674d1164d8a0fb0aec02f370bff416174cf842e6b5602352b14bcd38e0d68a88945cc38feb2ce5c4bd94512219b9b4339367961f97c2c8cbdfc

Download Submit
\Windows\SysWOW64\Hggomh32.exe

Filesize
93KB

MD5
72ce1c0981d0416829c21545907d405f

SHA1
de2945c42c6aebb78e381738a847c2dac375b366

SHA256
8fc7207e765bb699305a667424c3bb3a1da4466bc2dff4dc6e7fa21d8bd36b0d

SHA512
84bce8bd0a6aea7cd435c6823760d4d4b31b074daf4ad6fdcc338394961888d96fd6717f717bfed56bfe2d4ea9d4f32e3ed0ca6e576695a02a4326b983fb306a

Download Submit
\Windows\SysWOW64\Hicodd32.exe

Filesize
93KB

MD5
4752d656a46ca011245f527d66e1caf8

SHA1
35a9f33e6ed74ae2b99a9f40e38f8ffeb4a24b4f

SHA256
61cbb46233d17335866287ae12c31000926f60c62c28519528c52eaabdf9723d

SHA512
f2d2deff391a72337cb6e44d30ddf5fa8b08e4100cf5d72888c61097ed3681ac31b2012b3ddf46e91b998db67627131c9bbc92d1159d4dd673615c1e7c20fb71

Download Submit
\Windows\SysWOW64\Hnagjbdf.exe

Filesize
93KB

MD5
9776024c763564258e4e29c58546eea3

SHA1
53c3ebbba314ba5c03fd31d19e3726b4082fb805

SHA256
3361bacb836fb8afdf85638dbfd82d24dac3b021fd2a3a2d5e609c2960543123

SHA512
45126681cf4a94bcb9628e53690aec157a20a91ec8d4c2d44a678c89307f1260e7d30bac266837c0521ab465d2c8c6887cfb734e60726357a89c6318bdc9c0ed

Download Submit
\Windows\SysWOW64\Hpmgqnfl.exe

Filesize
93KB

MD5
ed7f5c78b387f6f72732f2e00a96cdc9

SHA1
f791eca37f136a3ecb67bad9733637f1f3390ff7

SHA256
d9db72caba28a2850039f20c07f65dd7a320173edeaee9e3ecdc46e8c06de23f

SHA512
a564de124719fa3c1499ac2762ab64ab9f0d7fc687c0fcff0c8de5c1ec66f6f08abed1762c43cd66fa373c3ca68fc4d04561feeaf9feb8ddd04d4574e79f2e7f

Download Submit
memory/312-265-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/312-317-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/312-256-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/312-266-0x0000000000260000-0x000000000029F000-memory.dmp

Filesize
252KB

Download
memory/772-306-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/772-107-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-161-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/788-169-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1056-273-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1056-267-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-318-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-246-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1468-236-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1468-242-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/1468-315-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-307-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-121-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1652-132-0x00000000002F0000-0x000000000032F000-memory.dmp

Filesize
252KB

Download
memory/1692-305-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1692-95-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-314-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1696-235-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/1696-234-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/1696-225-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-247-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1836-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-81-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2024-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-25-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2108-300-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-313-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-311-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2208-180-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-283-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2288-287-0x0000000000440000-0x000000000047F000-memory.dmp

Filesize
252KB

Download
memory/2288-277-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2288-319-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-308-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2336-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-160-0x00000000002D0000-0x000000000030F000-memory.dmp

Filesize
252KB

Download
memory/2400-147-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2400-309-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-303-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2464-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-302-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-54-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2576-67-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2600-201-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2600-214-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2600-312-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-301-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2620-48-0x0000000000250000-0x000000000028F000-memory.dmp

Filesize
252KB

Download
memory/2676-40-0x00000000005E0000-0x000000000061F000-memory.dmp

Filesize
252KB

Download
memory/2676-32-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-288-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2792-297-0x0000000000280000-0x00000000002BF000-memory.dmp

Filesize
252KB

Download
memory/2792-320-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-299-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2836-12-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/2836-11-0x00000000002C0000-0x00000000002FF000-memory.dmp

Filesize
252KB

Download
memory/2836-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3028-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3052-193-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads