55abc486f4e6eec1bbfedd74d68eb03c74d9fad83055559c240c2ba21bf2eec2

Analysis

max time kernel
111s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa464412bdb7706f84da2e3e66383840N.exe
Size

96KB
MD5

aa464412bdb7706f84da2e3e66383840
SHA1

ef67c3a234f0da436d11e082ea1dbb6ea25e77a0
SHA256

55abc486f4e6eec1bbfedd74d68eb03c74d9fad83055559c240c2ba21bf2eec2
SHA512

d088705758033c7569ee74e1c44529dfa8fe25c749bee68d90093f513be773be356dbde8771933a990914f741a76331b88f18360bf1079629b577058480c24cc
SSDEEP

1536:zmRhYGt1ZmB3beXYk+0Ps69mVw62LuH7RZObZUUWaegPYA:qf1tKB3CokFswmMuHClUUWae

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqijej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enhacojl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	aa464412bdb7706f84da2e3e66383840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfmdho32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccngld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebodiofk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckccgane.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ednpej32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	aa464412bdb7706f84da2e3e66383840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhdcji32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Edpmjj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhpiojfb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enhacojl.exe

Executes dropped EXE 27 IoCs

pid	Process
2796	Ckccgane.exe
2812	Cldooj32.exe
2760	Cdlgpgef.exe
2792	Ccngld32.exe
1708	Dfmdho32.exe
1440	Djklnnaj.exe
1472	Dfamcogo.exe
3052	Dhpiojfb.exe
1800	Dlkepi32.exe
1824	Ddgjdk32.exe
884	Dolnad32.exe
2764	Dfffnn32.exe
1908	Dhdcji32.exe
3020	Eqpgol32.exe
1780	Egjpkffe.exe
1148	Ebodiofk.exe
1528	Ednpej32.exe
1616	Ekhhadmk.exe
1408	Emieil32.exe
636	Edpmjj32.exe
2140	Efaibbij.exe
1816	Enhacojl.exe
988	Eojnkg32.exe
2380	Egafleqm.exe
2784	Eqijej32.exe
2620	Effcma32.exe
3000	Fkckeh32.exe

Loads dropped DLL 58 IoCs

pid	Process
2332	aa464412bdb7706f84da2e3e66383840N.exe
2332	aa464412bdb7706f84da2e3e66383840N.exe
2796	Ckccgane.exe
2796	Ckccgane.exe
2812	Cldooj32.exe
2812	Cldooj32.exe
2760	Cdlgpgef.exe
2760	Cdlgpgef.exe
2792	Ccngld32.exe
2792	Ccngld32.exe
1708	Dfmdho32.exe
1708	Dfmdho32.exe
1440	Djklnnaj.exe
1440	Djklnnaj.exe
1472	Dfamcogo.exe
1472	Dfamcogo.exe
3052	Dhpiojfb.exe
3052	Dhpiojfb.exe
1800	Dlkepi32.exe
1800	Dlkepi32.exe
1824	Ddgjdk32.exe
1824	Ddgjdk32.exe
884	Dolnad32.exe
884	Dolnad32.exe
2764	Dfffnn32.exe
2764	Dfffnn32.exe
1908	Dhdcji32.exe
1908	Dhdcji32.exe
3020	Eqpgol32.exe
3020	Eqpgol32.exe
1780	Egjpkffe.exe
1780	Egjpkffe.exe
1148	Ebodiofk.exe
1148	Ebodiofk.exe
1528	Ednpej32.exe
1528	Ednpej32.exe
1616	Ekhhadmk.exe
1616	Ekhhadmk.exe
1408	Emieil32.exe
1408	Emieil32.exe
636	Edpmjj32.exe
636	Edpmjj32.exe
2140	Efaibbij.exe
2140	Efaibbij.exe
1816	Enhacojl.exe
1816	Enhacojl.exe
988	Eojnkg32.exe
988	Eojnkg32.exe
2380	Egafleqm.exe
2380	Egafleqm.exe
2784	Eqijej32.exe
2784	Eqijej32.exe
2620	Effcma32.exe
2620	Effcma32.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Egafleqm.exe	Eojnkg32.exe
File opened for modification	C:\Windows\SysWOW64\Eqijej32.exe	Egafleqm.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Njmggi32.dll	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Edpmjj32.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Egjpkffe.exe	Eqpgol32.exe
File created	C:\Windows\SysWOW64\Ebodiofk.exe	Egjpkffe.exe
File created	C:\Windows\SysWOW64\Aphdelhp.dll	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Efaibbij.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Eojnkg32.exe	Enhacojl.exe
File created	C:\Windows\SysWOW64\Pgicjg32.dll	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Dlkepi32.exe	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Focnmm32.dll	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Dhpiojfb.exe	Dfamcogo.exe
File opened for modification	C:\Windows\SysWOW64\Dfffnn32.exe	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Djklnnaj.exe	Dfmdho32.exe
File opened for modification	C:\Windows\SysWOW64\Ccngld32.exe	Cdlgpgef.exe
File opened for modification	C:\Windows\SysWOW64\Ddgjdk32.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Dfffnn32.exe	Dolnad32.exe
File opened for modification	C:\Windows\SysWOW64\Dhdcji32.exe	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Lkmkpl32.dll	Enhacojl.exe
File created	C:\Windows\SysWOW64\Klmkof32.dll	Egafleqm.exe
File opened for modification	C:\Windows\SysWOW64\Ckccgane.exe	aa464412bdb7706f84da2e3e66383840N.exe
File created	C:\Windows\SysWOW64\Ccngld32.exe	Cdlgpgef.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Eqijej32.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Lbadbn32.dll	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File opened for modification	C:\Windows\SysWOW64\Cldooj32.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Oehfcmhd.dll	Ckccgane.exe
File created	C:\Windows\SysWOW64\Hhijaf32.dll	Dhdcji32.exe
File opened for modification	C:\Windows\SysWOW64\Egjpkffe.exe	Eqpgol32.exe
File opened for modification	C:\Windows\SysWOW64\Efaibbij.exe	Edpmjj32.exe
File created	C:\Windows\SysWOW64\Egafleqm.exe	Eojnkg32.exe
File created	C:\Windows\SysWOW64\Eaklqfem.dll	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Ddgjdk32.exe	Dlkepi32.exe
File created	C:\Windows\SysWOW64\Dfamcogo.exe	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Dolnad32.exe	Ddgjdk32.exe
File created	C:\Windows\SysWOW64\Dlkaflan.dll	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Dhpiojfb.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Pmdgmd32.dll	Emieil32.exe
File created	C:\Windows\SysWOW64\Loinmo32.dll	Cldooj32.exe
File created	C:\Windows\SysWOW64\Fogilika.dll	Ccngld32.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	Ckccgane.exe
File created	C:\Windows\SysWOW64\Akigbbni.dll	Cdlgpgef.exe
File created	C:\Windows\SysWOW64\Kncphpjl.dll	Dfffnn32.exe
File created	C:\Windows\SysWOW64\Ednpej32.exe	Ebodiofk.exe
File created	C:\Windows\SysWOW64\Ckccgane.exe	aa464412bdb7706f84da2e3e66383840N.exe
File created	C:\Windows\SysWOW64\Dglpkenb.dll	aa464412bdb7706f84da2e3e66383840N.exe
File opened for modification	C:\Windows\SysWOW64\Dfamcogo.exe	Djklnnaj.exe
File created	C:\Windows\SysWOW64\Ajfaqa32.dll	Dhpiojfb.exe
File created	C:\Windows\SysWOW64\Djklnnaj.exe	Dfmdho32.exe
File created	C:\Windows\SysWOW64\Blopagpd.dll	Djklnnaj.exe
File opened for modification	C:\Windows\SysWOW64\Ekhhadmk.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Ekhhadmk.exe
File created	C:\Windows\SysWOW64\Ampehe32.dll	Efaibbij.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eqijej32.exe
File created	C:\Windows\SysWOW64\Cdlgpgef.exe	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Cdlgpgef.exe	Cldooj32.exe
File created	C:\Windows\SysWOW64\Ekhhadmk.exe	Ednpej32.exe
File created	C:\Windows\SysWOW64\Enhacojl.exe	Efaibbij.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eqijej32.exe
File opened for modification	C:\Windows\SysWOW64\Ebodiofk.exe	Egjpkffe.exe
File opened for modification	C:\Windows\SysWOW64\Ednpej32.exe	Ebodiofk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2652	3000	WerFault.exe	56

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgicjg32.dll"	Eojnkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ccngld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlkaflan.dll"	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfffnn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	aa464412bdb7706f84da2e3e66383840N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	aa464412bdb7706f84da2e3e66383840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfidj32.dll"	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampehe32.dll"	Efaibbij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncphpjl.dll"	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll"	Ekhhadmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpbbfi32.dll"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ednpej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekhhadmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckccgane.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmdgmd32.dll"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmkpl32.dll"	Enhacojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eojnkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Eqijej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ednpej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfffnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkphdmd.dll"	Eqpgol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loinmo32.dll"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhijaf32.dll"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egjpkffe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebodiofk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egafleqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klmkof32.dll"	Egafleqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	aa464412bdb7706f84da2e3e66383840N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dolnad32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Galmmc32.dll"	Ddgjdk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focnmm32.dll"	Dolnad32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egjpkffe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckccgane.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djklnnaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akigbbni.dll"	Cdlgpgef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogilika.dll"	Ccngld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfmdho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfmdho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdlgpgef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqpgol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Efaibbij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgjdk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlkepi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhdcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaklqfem.dll"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfaqa32.dll"	Dhpiojfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2796	2332	aa464412bdb7706f84da2e3e66383840N.exe	30
PID 2332 wrote to memory of 2796	2332	aa464412bdb7706f84da2e3e66383840N.exe	30
PID 2332 wrote to memory of 2796	2332	aa464412bdb7706f84da2e3e66383840N.exe	30
PID 2332 wrote to memory of 2796	2332	aa464412bdb7706f84da2e3e66383840N.exe	30
PID 2796 wrote to memory of 2812	2796	Ckccgane.exe	31
PID 2796 wrote to memory of 2812	2796	Ckccgane.exe	31
PID 2796 wrote to memory of 2812	2796	Ckccgane.exe	31
PID 2796 wrote to memory of 2812	2796	Ckccgane.exe	31
PID 2812 wrote to memory of 2760	2812	Cldooj32.exe	32
PID 2812 wrote to memory of 2760	2812	Cldooj32.exe	32
PID 2812 wrote to memory of 2760	2812	Cldooj32.exe	32
PID 2812 wrote to memory of 2760	2812	Cldooj32.exe	32
PID 2760 wrote to memory of 2792	2760	Cdlgpgef.exe	33
PID 2760 wrote to memory of 2792	2760	Cdlgpgef.exe	33
PID 2760 wrote to memory of 2792	2760	Cdlgpgef.exe	33
PID 2760 wrote to memory of 2792	2760	Cdlgpgef.exe	33
PID 2792 wrote to memory of 1708	2792	Ccngld32.exe	34
PID 2792 wrote to memory of 1708	2792	Ccngld32.exe	34
PID 2792 wrote to memory of 1708	2792	Ccngld32.exe	34
PID 2792 wrote to memory of 1708	2792	Ccngld32.exe	34
PID 1708 wrote to memory of 1440	1708	Dfmdho32.exe	35
PID 1708 wrote to memory of 1440	1708	Dfmdho32.exe	35
PID 1708 wrote to memory of 1440	1708	Dfmdho32.exe	35
PID 1708 wrote to memory of 1440	1708	Dfmdho32.exe	35
PID 1440 wrote to memory of 1472	1440	Djklnnaj.exe	36
PID 1440 wrote to memory of 1472	1440	Djklnnaj.exe	36
PID 1440 wrote to memory of 1472	1440	Djklnnaj.exe	36
PID 1440 wrote to memory of 1472	1440	Djklnnaj.exe	36
PID 1472 wrote to memory of 3052	1472	Dfamcogo.exe	37
PID 1472 wrote to memory of 3052	1472	Dfamcogo.exe	37
PID 1472 wrote to memory of 3052	1472	Dfamcogo.exe	37
PID 1472 wrote to memory of 3052	1472	Dfamcogo.exe	37
PID 3052 wrote to memory of 1800	3052	Dhpiojfb.exe	38
PID 3052 wrote to memory of 1800	3052	Dhpiojfb.exe	38
PID 3052 wrote to memory of 1800	3052	Dhpiojfb.exe	38
PID 3052 wrote to memory of 1800	3052	Dhpiojfb.exe	38
PID 1800 wrote to memory of 1824	1800	Dlkepi32.exe	39
PID 1800 wrote to memory of 1824	1800	Dlkepi32.exe	39
PID 1800 wrote to memory of 1824	1800	Dlkepi32.exe	39
PID 1800 wrote to memory of 1824	1800	Dlkepi32.exe	39
PID 1824 wrote to memory of 884	1824	Ddgjdk32.exe	40
PID 1824 wrote to memory of 884	1824	Ddgjdk32.exe	40
PID 1824 wrote to memory of 884	1824	Ddgjdk32.exe	40
PID 1824 wrote to memory of 884	1824	Ddgjdk32.exe	40
PID 884 wrote to memory of 2764	884	Dolnad32.exe	41
PID 884 wrote to memory of 2764	884	Dolnad32.exe	41
PID 884 wrote to memory of 2764	884	Dolnad32.exe	41
PID 884 wrote to memory of 2764	884	Dolnad32.exe	41
PID 2764 wrote to memory of 1908	2764	Dfffnn32.exe	42
PID 2764 wrote to memory of 1908	2764	Dfffnn32.exe	42
PID 2764 wrote to memory of 1908	2764	Dfffnn32.exe	42
PID 2764 wrote to memory of 1908	2764	Dfffnn32.exe	42
PID 1908 wrote to memory of 3020	1908	Dhdcji32.exe	43
PID 1908 wrote to memory of 3020	1908	Dhdcji32.exe	43
PID 1908 wrote to memory of 3020	1908	Dhdcji32.exe	43
PID 1908 wrote to memory of 3020	1908	Dhdcji32.exe	43
PID 3020 wrote to memory of 1780	3020	Eqpgol32.exe	44
PID 3020 wrote to memory of 1780	3020	Eqpgol32.exe	44
PID 3020 wrote to memory of 1780	3020	Eqpgol32.exe	44
PID 3020 wrote to memory of 1780	3020	Eqpgol32.exe	44
PID 1780 wrote to memory of 1148	1780	Egjpkffe.exe	45
PID 1780 wrote to memory of 1148	1780	Egjpkffe.exe	45
PID 1780 wrote to memory of 1148	1780	Egjpkffe.exe	45
PID 1780 wrote to memory of 1148	1780	Egjpkffe.exe	45

C:\Users\Admin\AppData\Local\Temp\aa464412bdb7706f84da2e3e66383840N.exe
"C:\Users\Admin\AppData\Local\Temp\aa464412bdb7706f84da2e3e66383840N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\Ckccgane.exe
  C:\Windows\system32\Ckccgane.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\Cldooj32.exe
    C:\Windows\system32\Cldooj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\SysWOW64\Cdlgpgef.exe
      C:\Windows\system32\Cdlgpgef.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\Ccngld32.exe
        
        C:\Windows\system32\Ccngld32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
      - C:\Windows\SysWOW64\Dfmdho32.exe
        
        C:\Windows\system32\Dfmdho32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Djklnnaj.exe
        
        C:\Windows\system32\Djklnnaj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\SysWOW64\Dfamcogo.exe
        
        C:\Windows\system32\Dfamcogo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Dhpiojfb.exe
        
        C:\Windows\system32\Dhpiojfb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3052
        
        C:\Windows\SysWOW64\Dlkepi32.exe
        
        C:\Windows\system32\Dlkepi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\SysWOW64\Ddgjdk32.exe
        
        C:\Windows\system32\Ddgjdk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Dolnad32.exe
        
        C:\Windows\system32\Dolnad32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Dfffnn32.exe
        
        C:\Windows\system32\Dfffnn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Dhdcji32.exe
        
        C:\Windows\system32\Dhdcji32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Eqpgol32.exe
        
        C:\Windows\system32\Eqpgol32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Egjpkffe.exe
        
        C:\Windows\system32\Egjpkffe.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Ebodiofk.exe
        
        C:\Windows\system32\Ebodiofk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Ednpej32.exe
        
        C:\Windows\system32\Ednpej32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Ekhhadmk.exe
        
        C:\Windows\system32\Ekhhadmk.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Edpmjj32.exe
        
        C:\Windows\system32\Edpmjj32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:636
        
        C:\Windows\SysWOW64\Efaibbij.exe
        
        C:\Windows\system32\Efaibbij.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Enhacojl.exe
        
        C:\Windows\system32\Enhacojl.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Eojnkg32.exe
        
        C:\Windows\system32\Eojnkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\Egafleqm.exe
        
        C:\Windows\system32\Egafleqm.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Eqijej32.exe
        
        C:\Windows\system32\Eqijej32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        28⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 140
        29⤵
        Loads dropped DLL
        Program crash
        
        PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ccngld32.exe

Filesize
96KB

MD5
2ccc75d6ed872a66496195f1422ca3b8

SHA1
6ce656227d6495914efaaae5adaeb6cc00c5bec0

SHA256
2b46ddf8544303668775cbf4ac08fbfd3fbd6864bafb9f26e6332db8a40f6e78

SHA512
430cc22f94b167b0cdbf4755c0146103a3d513914608b94396b48b49703e4f2aa4b9bdc59cf0cd3c1547277e5ccc885bb313da1dd098e63f4ff352cd49261774

Download Submit
C:\Windows\SysWOW64\Ckccgane.exe

Filesize
96KB

MD5
a9880d4a8678aa9201dc8b5cd404d046

SHA1
f084c2fc324cd5ad0cf9e19176290d6541bdb062

SHA256
734ee63e8a7fcaac0f67b4b580a5c33e98c26817ecaa5c93715e9741b4c3eda2

SHA512
627f4bf1d4e161e70b757bd89ee4b0ed58b267335a593ee263cfc5f94ea0b851cc3eff08471312503355d58c69b956c8e2b96e394265a39d5a6c4a77a57e0098

Download Submit
C:\Windows\SysWOW64\Ednpej32.exe

Filesize
96KB

MD5
fa3f2bbfd8bf7d3bf33b2170810f7c99

SHA1
f1e53296c8aaaf1940641aca7408071c8ebd8696

SHA256
69932987253a3915f905c860dc360e7f8bf6064945625c65eef265b44f26c8ab

SHA512
6c34c96845612272685316a2928ddb9ccefd667bc818a013f38e99fb27c71d0748788982b873a03577c64ea146112fc7aa338545d36eeb01821056af5f1836f5

Download Submit
C:\Windows\SysWOW64\Edpmjj32.exe

Filesize
96KB

MD5
6e814b1515ac03023776733a3497e012

SHA1
97a4e80b0ffe8a2f284f0a06e818592fe5fc4dd1

SHA256
ccd2240a97de70ccbcfe7743ac7ad6b1c77aa19003c1ada4b72584a60d98ab95

SHA512
84949c589bf1023b85520969629a5e731ee2fed9b4896a848b9b977c1dcb7ddb616b537af66108a095a480d096cc87196450b66dafd44336f7230a8ba78f3da1

Download Submit
C:\Windows\SysWOW64\Efaibbij.exe

Filesize
96KB

MD5
efb032ed7d62078537b29755e0a96f7e

SHA1
2d65b528529cfac48d0fa1a763334bee7b829ec1

SHA256
5cf4663ea772e2e2ce2bba58306a2156a2e876384680693bc374814a03389ed2

SHA512
fedf277fc3af3864d090ec7196a7bc0f005f2644e4243e7949449390e781d27f5f677d5d6815c2321c2d76c16934edf1b2a456b63286dc8e1ff20aff1ead3657

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
96KB

MD5
d1bdf408aa53ce0d6ec49fb6611174db

SHA1
a976b60c32de69d5e74c54a2d991e2fca7ffa4b1

SHA256
25dd4082623ce8dead1cdf5555bb637c6dbba1d1983175a34f563e86e6fa12eb

SHA512
6f0750d5b6f4d665ce1ab684bc14f9a8e14f8ad228042806025217ecf4c1f82bfee244d0a27a8b467d25594ec63ba416f5570b1a17c87cb1f3cdcba50e1398fb

Download Submit
C:\Windows\SysWOW64\Egafleqm.exe

Filesize
96KB

MD5
4e848995c2fa18b69f1204a968d1020b

SHA1
a0c154758a66152ba2f5ade94b44ca32acc3333c

SHA256
d6989fa899675dd10237ef96e5d4c1466b80d77e79d57bade43e105c7c2b7c03

SHA512
e7f17170c256cf806146c01ecc969e543ceb5734c17411c9d5a60e5ff419a1faafd48c1b712470cfc22e202293b71a72170456cd0b9a5bf08ce0f7c1cf3a12d8

Download Submit
C:\Windows\SysWOW64\Ekhhadmk.exe

Filesize
96KB

MD5
d0621e5056be7eeea98f21e1f9cebfb3

SHA1
b1f4e7c681565ba1089f8b7ec8f33c45e1817eff

SHA256
dae31ac42a7674fdceb84715a2de9460678f15b1b54b66873a3d16fc10e6b867

SHA512
1328f948bbc405a09404a61165fade71e5e6ad4ed3fe280f540bbbe7ffed768a2f964a770ae8b6851b1975cf1a14865ca8aed94393ed99ab8c85d921e1a0a303

Download Submit
C:\Windows\SysWOW64\Emieil32.exe

Filesize
96KB

MD5
6e0fb787bfcc6221cb1f8f6850839aae

SHA1
235a188a7bd250b7f6edc63ac5f32e29a9b4defb

SHA256
c1e4fc682e1ea719c9adb3ced6015994dbc15b6403bf68e3427dc6ca217f9e0e

SHA512
2deebec606e5b52057b005adc9dcf093f589ef5f9bcd579591c7b3ac6b5ea74e3176df41a3962618eacf1bb513902ce452961af91f9456e7b2a8801667c2c9e3

Download Submit
C:\Windows\SysWOW64\Enhacojl.exe

Filesize
96KB

MD5
e745604134354a0a6657ae8c134de264

SHA1
3221857e6f2f07c9165916b144efecd159b83031

SHA256
78cc5faf50219b2718e16cb8c894c2d7934fc3358e42e10b103a8ab001d8b182

SHA512
d20fe091d41f81e584e3387617cabff2fb06a445387b1ff541f22dd63f574f0e1b13a554e013715a59362ce3deec61ec0e9ab71d6ace073d72721c2e1968a64d

Download Submit
C:\Windows\SysWOW64\Eojnkg32.exe

Filesize
96KB

MD5
569806686655d5cb0c1431c8ef19332c

SHA1
13e895ccec139c8e727f33b6533bdaeef235f795

SHA256
59245c1303b3100268d66e2400ca412a6da8e1efb1c9bdec4ecb2e4c1288095b

SHA512
2d20461d7d94ab97b77ba714ba4b495235de1236ba67cf37790d85ef3e0d6455b41a9d7ee592363fd21936d8fc12a06d27c0db8df3383ef119c08cafff768a36

Download Submit
C:\Windows\SysWOW64\Eqijej32.exe

Filesize
96KB

MD5
2593b1a123b8a42c5d9843c1cb42221a

SHA1
d63771e767648b24eea4151a9894dd827535b23f

SHA256
c79ad436b95dd851fef505c11126011ebf85fab2f5204dfc9a3eb6fb2a07e38b

SHA512
8f2127445c8f1edce64b0dcd17bd64e251610b3423f159cb5ded4cd1d7551e16c653625471abd081985b0b789e7abefeb96b2a50042d8a0ab80cd9bd09f8fc64

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
96KB

MD5
58bffb91aa783367c4722b3a71e1fa64

SHA1
94cfbc5afd6ccf9d6e0588b91e21bcca0ec82efb

SHA256
26b49c913dd8af215c362bdff9172d0542a933c3e59bdc788ea9b96c26f8c9a9

SHA512
ca625d7104ecfa666eeea1187e5c2e5a05d8cd931d11015ba60f97026c655c5d82d5d4c9f10614431a0452ae2c32f5125b578b1b206d7d3c6890aa5de013b007

Download Submit
\Windows\SysWOW64\Cdlgpgef.exe

Filesize
96KB

MD5
4635f0d7f2e617d57da5226ec127770e

SHA1
ba0ae6ffa9b36c9f69bbbbcc3205e22b13da66d3

SHA256
d3626a3ae86f95a7eef7d475dc021b4b753213dee050c1273b62fca3d7ed179e

SHA512
eab2db5b0f89b9adf7ed5850720263ccaf733110045a187746d721f221bf278b2d738ff8836b7663f47a8cd7b0cdbf9c2e0a5db1c93d2d428f57fb8caf9bf2cb

Download Submit
\Windows\SysWOW64\Cldooj32.exe

Filesize
96KB

MD5
a7f2252ddbf24f5253eb97e05cbe4cf0

SHA1
c0cd8ba6de5a570dd22d26ba9aaeb224c32e5197

SHA256
0f1e046ae84eeb7f62867bdf0ecdd3664e82367c4221b459aa7ac6b0dccfe11b

SHA512
0ef437b43fe2c45ab56c1e9d9c2f933524e5f9b5378734f16464940926466963661739918ae68f42ba84c6e6faff2b48fba3e1c4e8e9510fc80102d699182358

Download Submit
\Windows\SysWOW64\Ddgjdk32.exe

Filesize
96KB

MD5
b4d0ae288d936ccdec402b78194caf54

SHA1
0dac8e0a15163e61235333847ce3886d3a5e8faa

SHA256
832e931f5c819e28bb540d9a0756ded3e8dda5d6adc695fd49336ff6e75d26f5

SHA512
4c15897a5c8f4b7f4ac5824d253404145708a89610ecc649c6b4dbdea1b978ddb890c6028e53997f79d45ce22296df6c81d8d716cfb4065bf51d96291e07a06b

Download Submit
\Windows\SysWOW64\Dfamcogo.exe

Filesize
96KB

MD5
341ed4a302b092ad88b6ac6bfa48266f

SHA1
575e94404665ec8f948ae37071c517943b55371e

SHA256
3626b49129454e79e3e94524b5921f9be522fd345a6801b64edbfa7f5320962a

SHA512
d7f9aee91d48d82052f8c416b3a91828d5193fa1eda1e9d1049a870b2faa82d4b76e229cd171565e358938292ec269f9ea3031444568b79004c7af42175aa932

Download Submit
\Windows\SysWOW64\Dfffnn32.exe

Filesize
96KB

MD5
34a680420692fdb8d6b1802a34b8955f

SHA1
06cc04f2edf47ad10c46552a478e7f18f1f1fc91

SHA256
af6b80f9a8a09a0b1000e5769025871312573f393e38c889d5df71cc79108a95

SHA512
d0c704c97bf8b17013b6f39f11962d6e47c2ab36b361916f294bbfa72e4eb050b6664613090dcd927dec95f9a167da3d8ea8b205abfaaad82268a37b6ef58b4d

Download Submit
\Windows\SysWOW64\Dfmdho32.exe

Filesize
96KB

MD5
13888170e215532b7401661d718796bb

SHA1
de5824398a60412a6bb03304834f83e8c02a4d32

SHA256
4d89763143be808d335de607dfb2275ba8a3181f7d56eba128f070f6c720498a

SHA512
6e28998b695fe57d208daeb3fe8686a3264f223bf81c426bba3d6dbd5a228e2ec0ba1d1f9fb63c07ec4b207c8731157446d10cf8ab3d080cff01bfb3f129b0ff

Download Submit
\Windows\SysWOW64\Dhdcji32.exe

Filesize
96KB

MD5
f97fdb3d9c88b0ab820b17ede1a8ad8f

SHA1
05fdd191a2c390bd8fe87b1bfabe26a208830232

SHA256
54c094a0b8edcfbae137db844a778f698ee5881ef9320204914387fae7ac0ab9

SHA512
c7b6d735a1e398bb3ad0c0132d8864e6c2cc18677cdb1b478cf7c5eadebf0163b679317fc10051b7c46a128ae65404fb81f95f622e7abad37c3064f3a1457c5f

Download Submit
\Windows\SysWOW64\Dhpiojfb.exe

Filesize
96KB

MD5
f5e0747abdb1f58b8a12ea6b61589fde

SHA1
9b4796ccabeb3ad48e62ad8879818e2d981a30f5

SHA256
e3a8539f94598074ab5348111e13ad41b44512cef15156813c8755c0570e38ce

SHA512
8b7e7bba21ecb2618247a91e2b6551b5009d82b6ccc411483502f687d8f9692215d2d7ac5e5b47f459c823eec9afe16c4d5a2544de489b5c15fdc61604bff624

Download Submit
\Windows\SysWOW64\Djklnnaj.exe

Filesize
96KB

MD5
95626c86f644b669fe82f1a10f89c0b7

SHA1
d0103837badd9145250be7948a2109ff73a342ed

SHA256
66bce8dac67a5b40253c8140bd6fc532e7f02ee93030b30b62b87def2cd83695

SHA512
82bd01da319d01584d998d98d1d9d91040228bdb42d4641ac1b67d87b64537c4b7f4f6e015c4af5c29e8ff023d204c1f06231567d4d04d1dbb28986ce0727238

Download Submit
\Windows\SysWOW64\Dlkepi32.exe

Filesize
96KB

MD5
e867c77b45af630aafc4dbaf116f5a61

SHA1
ff8fc6b486daf01d94601f74c769ce457df1f5d4

SHA256
bbd9be95f25fbd8b6360bf2d1c490e773b41816942d179b252ac792d13032a5a

SHA512
526160ff1fa958cf95631902aaa67db5ef68c547ea0297a8a01f8213654f7be354f3e18b4bd556facf296dfb02aa03708f3a19b628bf0782c0f4504f44319327

Download Submit
\Windows\SysWOW64\Dolnad32.exe

Filesize
96KB

MD5
e8b85fc423a6435ddeb597e4192832da

SHA1
23bd04b30b4ef084d578290940e8a4c3071569d2

SHA256
ecfcd1c577416a8264e00e1d125fe64d0f1b4fb275246b1fc50afdd556254b07

SHA512
cddc8b539c99f70ed6b2137a827d0101fbdcaaf363dd9a6aaa2aa72ca7a961212a8f38531371379338cefdf0a5acb5460cb2625d10f4e53df7ec42c3c2823fb6

Download Submit
\Windows\SysWOW64\Ebodiofk.exe

Filesize
96KB

MD5
561fdf6bc176385c1057791671cc16d1

SHA1
2fac069311b80d706042d64de1962b8edefc6058

SHA256
a9f8b7df5007e4dc82ab3399e24b325b1a73c8dbfa08942799822c0a8b13d8e3

SHA512
af18fd0dbef1024ad71d5c1fef2a9f2e90d51dc5e6e943e53d6e9a1887f337899365333bf105681d09401dd75198758fd9e06d598079be154f3d6ee440207f3a

Download Submit
\Windows\SysWOW64\Egjpkffe.exe

Filesize
96KB

MD5
29be7bdbc8cc2e7b9ce4ed0fcb75fb94

SHA1
492a8a0ee5b67a615aa09fefcc23cc994616e31b

SHA256
446065c0dae6bb71148a2f03e8a60ea5b0e8ba9b8f65178153aed8529d75dae8

SHA512
fb01887e4d3ad91000da71f8e60920244da047e8428e0323518b828fb66005a010277f8589c079da83fee91f0e98881d942151e9fca875f7fcb710879a95ae40

Download Submit
\Windows\SysWOW64\Eqpgol32.exe

Filesize
96KB

MD5
4edf67fab0c1778dc8c2c5c12db9e401

SHA1
2493c80dc8a02661a62c3c03cb3510fcf044cb07

SHA256
274ba2db70d28b6aaf672855921b648d4535f35909e4e8500ee206c111ece48e

SHA512
740d3ab9ae67b64de880795d48726a2211361c29527ff718c04e7680025ad5bf1ffb1675153172df7223c87b03525a20044815a3bb6981c3857f319e08c3fdd4

Download Submit
memory/636-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/884-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-291-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/988-284-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/988-290-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1148-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1440-332-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-100-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-102-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/1528-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1528-233-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1616-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1616-245-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download
memory/1708-79-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1708-66-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1708-78-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/1708-331-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1800-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-348-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-282-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1816-283-0x0000000000290000-0x00000000002C3000-memory.dmp

Filesize
204KB

Download
memory/1824-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1824-147-0x00000000002D0000-0x0000000000303000-memory.dmp

Filesize
204KB

Download
memory/1908-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1908-339-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2140-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-326-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2332-23-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2380-301-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2380-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-302-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2380-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-320-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2620-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2620-324-0x00000000002F0000-0x0000000000323000-memory.dmp

Filesize
204KB

Download
memory/2760-44-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2764-168-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2764-338-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-312-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2784-351-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2784-313-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2784-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-65-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2792-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2792-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2796-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2812-26-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3020-196-0x0000000001F30000-0x0000000001F63000-memory.dmp

Filesize
204KB

Download
memory/3052-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-115-0x0000000000440000-0x0000000000473000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads