ea507c0c9f66fdd45cc36d887552a31476f307aded562744e2e74c90c07eef20

Analysis

max time kernel
111s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 09:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b78468c5aae56c23b186ad96e776e910N.exe
Size

59KB
MD5

b78468c5aae56c23b186ad96e776e910
SHA1

67ed644daabbb611810d80bb4517e74a1b797b42
SHA256

ea507c0c9f66fdd45cc36d887552a31476f307aded562744e2e74c90c07eef20
SHA512

f110d448d64d41755f81408a5e2dc510ffb3e95818447085708b683685d78e931dd0663fdf45d91997ab7a26ca4a598428d2d3181a7fc6efa3be82d4860f7bf9
SSDEEP

768:CP/ghHKQFhRYx+GbkvpQuIhsXe8PfZyY63AmBWh2p/1H5VXdnhfXaXdnh:CnghHtFhw+GTuxFBsYh2LpO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dookgcij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpeekh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Effcma32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlnbeh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b78468c5aae56c23b186ad96e776e910N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cldooj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ekelld32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejobhppq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b78468c5aae56c23b186ad96e776e910N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Endhhp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dglpbbbg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpeekh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egllae32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dndlim32.exe

Executes dropped EXE 23 IoCs

pid	Process
2744	Cldooj32.exe
2816	Dndlim32.exe
2012	Dpbheh32.exe
2584	Dglpbbbg.exe
2124	Dpeekh32.exe
536	Dfamcogo.exe
1472	Dfdjhndl.exe
2160	Dlnbeh32.exe
1552	Dbkknojp.exe
1824	Ddigjkid.exe
884	Dookgcij.exe
2764	Ebmgcohn.exe
1908	Ekelld32.exe
3020	Endhhp32.exe
2276	Egllae32.exe
1476	Emieil32.exe
296	Eccmffjf.exe
1264	Eqgnokip.exe
1712	Ejobhppq.exe
2688	Eibbcm32.exe
2672	Eplkpgnh.exe
1732	Effcma32.exe
2528	Fkckeh32.exe

Loads dropped DLL 50 IoCs

pid	Process
2472	b78468c5aae56c23b186ad96e776e910N.exe
2472	b78468c5aae56c23b186ad96e776e910N.exe
2744	Cldooj32.exe
2744	Cldooj32.exe
2816	Dndlim32.exe
2816	Dndlim32.exe
2012	Dpbheh32.exe
2012	Dpbheh32.exe
2584	Dglpbbbg.exe
2584	Dglpbbbg.exe
2124	Dpeekh32.exe
2124	Dpeekh32.exe
536	Dfamcogo.exe
536	Dfamcogo.exe
1472	Dfdjhndl.exe
1472	Dfdjhndl.exe
2160	Dlnbeh32.exe
2160	Dlnbeh32.exe
1552	Dbkknojp.exe
1552	Dbkknojp.exe
1824	Ddigjkid.exe
1824	Ddigjkid.exe
884	Dookgcij.exe
884	Dookgcij.exe
2764	Ebmgcohn.exe
2764	Ebmgcohn.exe
1908	Ekelld32.exe
1908	Ekelld32.exe
3020	Endhhp32.exe
3020	Endhhp32.exe
2276	Egllae32.exe
2276	Egllae32.exe
1476	Emieil32.exe
1476	Emieil32.exe
296	Eccmffjf.exe
296	Eccmffjf.exe
1264	Eqgnokip.exe
1264	Eqgnokip.exe
1712	Ejobhppq.exe
1712	Ejobhppq.exe
2688	Eibbcm32.exe
2688	Eibbcm32.exe
2672	Eplkpgnh.exe
2672	Eplkpgnh.exe
1732	Effcma32.exe
1732	Effcma32.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dglpbbbg.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Kijbioba.dll	Dpbheh32.exe
File opened for modification	C:\Windows\SysWOW64\Eibbcm32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Effcma32.exe	Eplkpgnh.exe
File opened for modification	C:\Windows\SysWOW64\Effcma32.exe	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Joliff32.dll	Dndlim32.exe
File created	C:\Windows\SysWOW64\Efhhaddp.dll	Dglpbbbg.exe
File opened for modification	C:\Windows\SysWOW64\Dfdjhndl.exe	Dfamcogo.exe
File created	C:\Windows\SysWOW64\Dbkknojp.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Kcbabf32.dll	Endhhp32.exe
File created	C:\Windows\SysWOW64\Clkmne32.dll	Effcma32.exe
File opened for modification	C:\Windows\SysWOW64\Dndlim32.exe	Cldooj32.exe
File created	C:\Windows\SysWOW64\Dglpbbbg.exe	Dpbheh32.exe
File created	C:\Windows\SysWOW64\Dpeekh32.exe	Dglpbbbg.exe
File created	C:\Windows\SysWOW64\Nnfbei32.dll	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Ddigjkid.exe	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Mledlaqd.dll	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Clialdph.dll	Dookgcij.exe
File created	C:\Windows\SysWOW64\Aphdelhp.dll	Egllae32.exe
File created	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File opened for modification	C:\Windows\SysWOW64\Eqgnokip.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Affcmdmb.dll	Eplkpgnh.exe
File created	C:\Windows\SysWOW64\Dfamcogo.exe	Dpeekh32.exe
File opened for modification	C:\Windows\SysWOW64\Dfamcogo.exe	Dpeekh32.exe
File created	C:\Windows\SysWOW64\Egllae32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Egllae32.exe	Endhhp32.exe
File opened for modification	C:\Windows\SysWOW64\Eccmffjf.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Dlnbeh32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File created	C:\Windows\SysWOW64\Emieil32.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Gjpmgg32.dll	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Ddigjkid.exe	Dbkknojp.exe
File created	C:\Windows\SysWOW64\Dookgcij.exe	Ddigjkid.exe
File created	C:\Windows\SysWOW64\Imehcohk.dll	Emieil32.exe
File created	C:\Windows\SysWOW64\Endhhp32.exe	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Endhhp32.exe	Ekelld32.exe
File opened for modification	C:\Windows\SysWOW64\Dookgcij.exe	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Emieil32.exe	Egllae32.exe
File created	C:\Windows\SysWOW64\Eibbcm32.exe	Ejobhppq.exe
File created	C:\Windows\SysWOW64\Olfeho32.dll	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Eccmffjf.exe	Emieil32.exe
File created	C:\Windows\SysWOW64\Ekgednng.dll	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Blopagpd.dll	Dpeekh32.exe
File created	C:\Windows\SysWOW64\Jdjfho32.dll	Dfamcogo.exe
File opened for modification	C:\Windows\SysWOW64\Dlnbeh32.exe	Dfdjhndl.exe
File created	C:\Windows\SysWOW64\Jfiilbkl.dll	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Jkhgfq32.dll	Ddigjkid.exe
File opened for modification	C:\Windows\SysWOW64\Eplkpgnh.exe	Eibbcm32.exe
File opened for modification	C:\Windows\SysWOW64\Fkckeh32.exe	Effcma32.exe
File created	C:\Windows\SysWOW64\Dndlim32.exe	Cldooj32.exe
File opened for modification	C:\Windows\SysWOW64\Dpbheh32.exe	Dndlim32.exe
File opened for modification	C:\Windows\SysWOW64\Ebmgcohn.exe	Dookgcij.exe
File opened for modification	C:\Windows\SysWOW64\Ekelld32.exe	Ebmgcohn.exe
File created	C:\Windows\SysWOW64\Jhgnia32.dll	Ejobhppq.exe
File opened for modification	C:\Windows\SysWOW64\Dbkknojp.exe	Dlnbeh32.exe
File created	C:\Windows\SysWOW64\Eqgnokip.exe	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Jaqddb32.dll	Eccmffjf.exe
File created	C:\Windows\SysWOW64\Ejobhppq.exe	Eqgnokip.exe
File created	C:\Windows\SysWOW64\Ahoanjcc.dll	Eibbcm32.exe
File created	C:\Windows\SysWOW64\Cldooj32.exe	b78468c5aae56c23b186ad96e776e910N.exe
File created	C:\Windows\SysWOW64\Oehfcmhd.dll	b78468c5aae56c23b186ad96e776e910N.exe
File created	C:\Windows\SysWOW64\Dpbheh32.exe	Dndlim32.exe
File opened for modification	C:\Windows\SysWOW64\Dpeekh32.exe	Dglpbbbg.exe
File created	C:\Windows\SysWOW64\Dfdjhndl.exe	Dfamcogo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2352	2528	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpbheh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpeekh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfamcogo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ebmgcohn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eibbcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Effcma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkckeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cldooj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dglpbbbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkknojp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekelld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Endhhp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eqgnokip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eplkpgnh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndlim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdjhndl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddigjkid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dookgcij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b78468c5aae56c23b186ad96e776e910N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dlnbeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egllae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Emieil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eccmffjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejobhppq.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b78468c5aae56c23b186ad96e776e910N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdjhndl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dlnbeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joliff32.dll"	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkhgfq32.dll"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfeho32.dll"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpmgg32.dll"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaqddb32.dll"	Eccmffjf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eqgnokip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eibbcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blopagpd.dll"	Dpeekh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ekelld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehfcmhd.dll"	b78468c5aae56c23b186ad96e776e910N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dpeekh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfamcogo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfamcogo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eplkpgnh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhhaddp.dll"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnfbei32.dll"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahoanjcc.dll"	Eibbcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aphdelhp.dll"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnia32.dll"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b78468c5aae56c23b186ad96e776e910N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dndlim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfdjhndl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mledlaqd.dll"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affcmdmb.dll"	Eplkpgnh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Effcma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b78468c5aae56c23b186ad96e776e910N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcbabf32.dll"	Endhhp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eccmffjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clkmne32.dll"	Effcma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkknojp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imehcohk.dll"	Emieil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b78468c5aae56c23b186ad96e776e910N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cldooj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kijbioba.dll"	Dpbheh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dglpbbbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Emieil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b78468c5aae56c23b186ad96e776e910N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dndlim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dbkknojp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egllae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dpbheh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Emieil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddigjkid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clialdph.dll"	Dookgcij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ebmgcohn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekgednng.dll"	Eqgnokip.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejobhppq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eibbcm32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2744	2472	b78468c5aae56c23b186ad96e776e910N.exe	30
PID 2472 wrote to memory of 2744	2472	b78468c5aae56c23b186ad96e776e910N.exe	30
PID 2472 wrote to memory of 2744	2472	b78468c5aae56c23b186ad96e776e910N.exe	30
PID 2472 wrote to memory of 2744	2472	b78468c5aae56c23b186ad96e776e910N.exe	30
PID 2744 wrote to memory of 2816	2744	Cldooj32.exe	31
PID 2744 wrote to memory of 2816	2744	Cldooj32.exe	31
PID 2744 wrote to memory of 2816	2744	Cldooj32.exe	31
PID 2744 wrote to memory of 2816	2744	Cldooj32.exe	31
PID 2816 wrote to memory of 2012	2816	Dndlim32.exe	32
PID 2816 wrote to memory of 2012	2816	Dndlim32.exe	32
PID 2816 wrote to memory of 2012	2816	Dndlim32.exe	32
PID 2816 wrote to memory of 2012	2816	Dndlim32.exe	32
PID 2012 wrote to memory of 2584	2012	Dpbheh32.exe	33
PID 2012 wrote to memory of 2584	2012	Dpbheh32.exe	33
PID 2012 wrote to memory of 2584	2012	Dpbheh32.exe	33
PID 2012 wrote to memory of 2584	2012	Dpbheh32.exe	33
PID 2584 wrote to memory of 2124	2584	Dglpbbbg.exe	34
PID 2584 wrote to memory of 2124	2584	Dglpbbbg.exe	34
PID 2584 wrote to memory of 2124	2584	Dglpbbbg.exe	34
PID 2584 wrote to memory of 2124	2584	Dglpbbbg.exe	34
PID 2124 wrote to memory of 536	2124	Dpeekh32.exe	35
PID 2124 wrote to memory of 536	2124	Dpeekh32.exe	35
PID 2124 wrote to memory of 536	2124	Dpeekh32.exe	35
PID 2124 wrote to memory of 536	2124	Dpeekh32.exe	35
PID 536 wrote to memory of 1472	536	Dfamcogo.exe	36
PID 536 wrote to memory of 1472	536	Dfamcogo.exe	36
PID 536 wrote to memory of 1472	536	Dfamcogo.exe	36
PID 536 wrote to memory of 1472	536	Dfamcogo.exe	36
PID 1472 wrote to memory of 2160	1472	Dfdjhndl.exe	37
PID 1472 wrote to memory of 2160	1472	Dfdjhndl.exe	37
PID 1472 wrote to memory of 2160	1472	Dfdjhndl.exe	37
PID 1472 wrote to memory of 2160	1472	Dfdjhndl.exe	37
PID 2160 wrote to memory of 1552	2160	Dlnbeh32.exe	38
PID 2160 wrote to memory of 1552	2160	Dlnbeh32.exe	38
PID 2160 wrote to memory of 1552	2160	Dlnbeh32.exe	38
PID 2160 wrote to memory of 1552	2160	Dlnbeh32.exe	38
PID 1552 wrote to memory of 1824	1552	Dbkknojp.exe	39
PID 1552 wrote to memory of 1824	1552	Dbkknojp.exe	39
PID 1552 wrote to memory of 1824	1552	Dbkknojp.exe	39
PID 1552 wrote to memory of 1824	1552	Dbkknojp.exe	39
PID 1824 wrote to memory of 884	1824	Ddigjkid.exe	40
PID 1824 wrote to memory of 884	1824	Ddigjkid.exe	40
PID 1824 wrote to memory of 884	1824	Ddigjkid.exe	40
PID 1824 wrote to memory of 884	1824	Ddigjkid.exe	40
PID 884 wrote to memory of 2764	884	Dookgcij.exe	41
PID 884 wrote to memory of 2764	884	Dookgcij.exe	41
PID 884 wrote to memory of 2764	884	Dookgcij.exe	41
PID 884 wrote to memory of 2764	884	Dookgcij.exe	41
PID 2764 wrote to memory of 1908	2764	Ebmgcohn.exe	42
PID 2764 wrote to memory of 1908	2764	Ebmgcohn.exe	42
PID 2764 wrote to memory of 1908	2764	Ebmgcohn.exe	42
PID 2764 wrote to memory of 1908	2764	Ebmgcohn.exe	42
PID 1908 wrote to memory of 3020	1908	Ekelld32.exe	43
PID 1908 wrote to memory of 3020	1908	Ekelld32.exe	43
PID 1908 wrote to memory of 3020	1908	Ekelld32.exe	43
PID 1908 wrote to memory of 3020	1908	Ekelld32.exe	43
PID 3020 wrote to memory of 2276	3020	Endhhp32.exe	44
PID 3020 wrote to memory of 2276	3020	Endhhp32.exe	44
PID 3020 wrote to memory of 2276	3020	Endhhp32.exe	44
PID 3020 wrote to memory of 2276	3020	Endhhp32.exe	44
PID 2276 wrote to memory of 1476	2276	Egllae32.exe	45
PID 2276 wrote to memory of 1476	2276	Egllae32.exe	45
PID 2276 wrote to memory of 1476	2276	Egllae32.exe	45
PID 2276 wrote to memory of 1476	2276	Egllae32.exe	45

C:\Users\Admin\AppData\Local\Temp\b78468c5aae56c23b186ad96e776e910N.exe
"C:\Users\Admin\AppData\Local\Temp\b78468c5aae56c23b186ad96e776e910N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\Cldooj32.exe
  C:\Windows\system32\Cldooj32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\Dndlim32.exe
    C:\Windows\system32\Dndlim32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\Dpbheh32.exe
      C:\Windows\system32\Dpbheh32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\SysWOW64\Dglpbbbg.exe
        
        C:\Windows\system32\Dglpbbbg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
      - C:\Windows\SysWOW64\Dpeekh32.exe
        
        C:\Windows\system32\Dpeekh32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Dfamcogo.exe
        
        C:\Windows\system32\Dfamcogo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Dfdjhndl.exe
        
        C:\Windows\system32\Dfdjhndl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Dlnbeh32.exe
        
        C:\Windows\system32\Dlnbeh32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\Dbkknojp.exe
        
        C:\Windows\system32\Dbkknojp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Ddigjkid.exe
        
        C:\Windows\system32\Ddigjkid.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Dookgcij.exe
        
        C:\Windows\system32\Dookgcij.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\SysWOW64\Ebmgcohn.exe
        
        C:\Windows\system32\Ebmgcohn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\SysWOW64\Ekelld32.exe
        
        C:\Windows\system32\Ekelld32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\SysWOW64\Endhhp32.exe
        
        C:\Windows\system32\Endhhp32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Egllae32.exe
        
        C:\Windows\system32\Egllae32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\SysWOW64\Emieil32.exe
        
        C:\Windows\system32\Emieil32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\Eccmffjf.exe
        
        C:\Windows\system32\Eccmffjf.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:296
        
        C:\Windows\SysWOW64\Eqgnokip.exe
        
        C:\Windows\system32\Eqgnokip.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
        
        C:\Windows\SysWOW64\Ejobhppq.exe
        
        C:\Windows\system32\Ejobhppq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Eibbcm32.exe
        
        C:\Windows\system32\Eibbcm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Eplkpgnh.exe
        
        C:\Windows\system32\Eplkpgnh.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Effcma32.exe
        
        C:\Windows\system32\Effcma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\Fkckeh32.exe
        
        C:\Windows\system32\Fkckeh32.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Dglpbbbg.exe

Filesize
59KB

MD5
c2e0fc6842b8c1d5a267c9a7f2707ee7

SHA1
5855026ee344b8b0d122f7aaa70a6689057e1a33

SHA256
5738aea3123a4de5a2eb90a4cd7201fd0f4870b5bc311131d11aff8e0b5dce9f

SHA512
a40e6ee1e67a6eac8e60d6e4641176fac00414a9e28abdb0e949e86373c99bb376ea9894b546c159958fd0eaef28e8259f984b07ceb917f5749d00b9c544f28c

Download Submit
C:\Windows\SysWOW64\Dpbheh32.exe

Filesize
59KB

MD5
4213519ecf5fc57a77e9d4c2530cee51

SHA1
3098eb5929860e3a513fbd6d74fcee918ca3a9db

SHA256
296b1580cc54ddc830ea3b1b0bac1e39be9dec8f396eb087042ef8af507655c7

SHA512
2a49da51e379d45264e9a59aadd5c331a088c88075395fbaf13bb89222b164009a2edc5d49ecf28da1d79bd03ee8b8421e75df44a8da23f365f801ea438f2738

Download Submit
C:\Windows\SysWOW64\Eccmffjf.exe

Filesize
59KB

MD5
5fc7c1e0cbdda3498b5bf345380e9f4c

SHA1
e6a499553b2806e36b37c99b125c1e97802ac7e7

SHA256
5d79f96d787885dabb45cb57f74a631e294d68256387f21098598701ac1c1670

SHA512
adef2fe1d4deaa8b95e3bcce00c5de00a957a48e4f720edb8b35203b9174480e053c60f3a806d72b816e4367b7ce6265d89a5acb4b4aba8ea01d924ee94cf864

Download Submit
C:\Windows\SysWOW64\Effcma32.exe

Filesize
59KB

MD5
458ef7e9f0ebf25dd61c7a2a22c0ec21

SHA1
9be16d7e0b284c316d04159686e390e6da5b2af2

SHA256
293425c70072f5a1070ea9da5b183ef6f5477bcdea0cc8da074a4747a86a6633

SHA512
b01323b3fdcf769e63e210954442eebb1ba536c9c7df7fc85ddae9d67cd74e414df5c312216c1df7e87ad2ce7018de24b95a955ccb59a86b4a861456b32d4389

Download Submit
C:\Windows\SysWOW64\Eibbcm32.exe

Filesize
59KB

MD5
c134538bd63551d60ba436b5cf71d020

SHA1
ab26f277586c61a8dc72e6af6bbaf2c8b0c2cdf0

SHA256
f7c4c15c9795299e3141cc756f3543d7378cf048e1883ccb07eaa0ae395e512c

SHA512
08f6fcb6322c33d4f8d40af887504bb4be4016677bfd612a2922a285596b44cf4e6dab507de307ac738e6e2ec334c8ee03984bb1faef8d1d6e7107e2d6ab956a

Download Submit
C:\Windows\SysWOW64\Ejobhppq.exe

Filesize
59KB

MD5
6cfa4c0cf8ccfbcd51325b57c705d509

SHA1
f0214202e466995745ca25d6edb2ad1336d3e19f

SHA256
ee7ef63d4c57afd90e3f3a6272ecfadff4eb1b1a74780ffce3de9058527c7bc0

SHA512
c1b433ec369ffa06f47e1db2f7759fed158aff1a387d013ca44b92d701cf09989ad71364fcbf550f78f1afe94fd576e17bb7a5d0a517e3c81f5b4e1a690d5ecb

Download Submit
C:\Windows\SysWOW64\Eplkpgnh.exe

Filesize
59KB

MD5
ec6b51f47ba8e47e26992e530c8cfeff

SHA1
25f440ca02fdba99f524071fc712bc6631e69928

SHA256
1ef285aaeb128ed71317b3405faf2fe964a2f74a734f894b4ebf9b3fceb9a679

SHA512
2f4a0d361c8c5d75b5d684e85fa1c801820feb18a6025915800357e49beb6bb942b67c1b700a6297ae64497ad6eda12fe6d4e1038e7c25acbb223ea91a0c8966

Download Submit
C:\Windows\SysWOW64\Eqgnokip.exe

Filesize
59KB

MD5
45a158e80a742f68c4c084f70050811a

SHA1
b8bde0ec855531b22c32b3f444b7d93b079a43ad

SHA256
cd1e2db91d7e6d8ec6a6260704979973f08f3d8642bad1e37a5055059bb4b970

SHA512
e6ba431700ff707c23d1da23e68dfd1b3109bfebf3c7a723aafc5739f0c15451339fae0cfff9560ba1bcc381f638f916cf01eb845607aa5d9a2c0de25794c399

Download Submit
C:\Windows\SysWOW64\Fkckeh32.exe

Filesize
59KB

MD5
23329d4e6ae9cd7df4c15a8bdb5598f0

SHA1
bbaa0b70df0043422f0547b939d54a4c852ac21c

SHA256
15e40930fb6bbc12fee92d08987551b620694713568b3625736ade3744d1c9c3

SHA512
53315c1d9c1228626b3f88d2e2c8ea7101971eb8a68684c264d4b239768ed0beb8a09bc15cebb4cba58162a27a42b63c3c49efd33c1b1fbf25f1d72fddb83d1e

Download Submit
\Windows\SysWOW64\Cldooj32.exe

Filesize
59KB

MD5
1acef9890438c5fae0e8aa00d23704b4

SHA1
306a59bfce9e8f96b54b226f6f58293d5ad26a3e

SHA256
57f236c32bc23101a6ee88448dcd621893c6ac1e93c08830684adafdee408234

SHA512
943f0efb53f8302a08695d9c007b348fc9b05696bd4dc1c6e07eab039c95d060528b35655cd8a19b18cce432f39ebea56ba2abdaaa2913d2e9f1ddcb54383877

Download Submit
\Windows\SysWOW64\Dbkknojp.exe

Filesize
59KB

MD5
cbbe8912df57d229824eebd4da936561

SHA1
19a305619ebae64e3c0878e41acebf35be690c39

SHA256
da9b6739b34ac0a3339864d39541925e5683568ef8da9056aa0d6fbc6c564d3c

SHA512
afa5208b8dd133640552892a39985450d6436ee8618960243687e70c2afa92525d3b83b7f8bd79bc2e77c774a70b786f2ba5a0cbe83636b4e8346dc2081a688c

Download Submit
\Windows\SysWOW64\Ddigjkid.exe

Filesize
59KB

MD5
9d279ffc0f8667c5a5a66696733930a8

SHA1
f59eb86a26573e343052a5e4ebc06009a910cabb

SHA256
1dc8355ccdb3caea116b9e18f3f04862f4522a6d7dfcabdda16ae5477279e943

SHA512
8d40edd3658f840a86c5465cc007653c2c3901246486b774bafb74f9a8b4237c90ffa7cd9af38b2683f96eb394c42983c01be6524c6e1cce797dc338b5e78fa8

Download Submit
\Windows\SysWOW64\Dfamcogo.exe

Filesize
59KB

MD5
ca472a73c003da58669f2d89757bf803

SHA1
2770c13b02345be40bffd8f6304d1898db024f6d

SHA256
b533a75e4d8c78d170c2bdd667f36518503edbf14265ec0e7046c13d887a7597

SHA512
28fe615ea2a5fed24ba83ab3857c47fad233be288045840ecd4781dbf7405fac66c2b538ba930a2d5bf5782b34d8fbcdc946cae2935bef7e6b469ed510a3da5f

Download Submit
\Windows\SysWOW64\Dfdjhndl.exe

Filesize
59KB

MD5
1cc922c0ece0402ac31dbfa1a00675af

SHA1
169f05daafacdbbfc2024b6b6a80828dcae50c4c

SHA256
f1a1f3d081cb200537e856d956e31eebb4e5082b85de11a654dfe3668a946a84

SHA512
0387fbed1a8eae5ee2d62294037a58212d0a7557091ffb43240229d41b11a3e2ed25fa6d3210a136c87f798331f36848871be43ccf63ec9fbaf883ce40dfe19f

Download Submit
\Windows\SysWOW64\Dlnbeh32.exe

Filesize
59KB

MD5
78badcfe28bcc4e7a8a1e8aad4233b0f

SHA1
3cb74f34a1f0951dbd838f2ddb71c3015b1f0222

SHA256
ec989b2de0055c96510f5d489602da66e3087674f32bcbb78fc60d7d55fd6f0c

SHA512
2078cab2e6933afda2cb92904c40da1d28dba64bc33915d66e41f4a57f35b314c0fdc5a88b71e0822a33869b771d2e4c1bf0b23413a2ede536ddd823e617ad20

Download Submit
\Windows\SysWOW64\Dndlim32.exe

Filesize
59KB

MD5
c5a762155a6baf4d4c3569aea3bd2919

SHA1
42289f18e10324d954868a5ee6506c86e4f49cd1

SHA256
9db332d4653a6a00197cdf072b96e74566a315b497bfa9cc8782b2d072736231

SHA512
5b781d2b4837ebab4097b903101a57939ea81283d53c025e204e22efb23c5017191f68efabe075e043004eec4f0b31f957984e125c03d17635be99fc585273e4

Download Submit
\Windows\SysWOW64\Dookgcij.exe

Filesize
59KB

MD5
9d3e4669817d00b1d2d09cde9f714efd

SHA1
d1bcb39c7e63bd3b960b37bdebf971f26a5c7e52

SHA256
4c73d165fb93364a29e11b75874e27ed2fdd9bd43088f40ede026e905d65d8a6

SHA512
158e921ff907329d2b1ecc92c3a6a15d8174da3f13a9b92f06db3bf41ca537aa06f835432d763e9e9e107a2dcfa0ef48e848365fcab1dced939b73ee8f7367e2

Download Submit
\Windows\SysWOW64\Dpeekh32.exe

Filesize
59KB

MD5
0c9b2ec540f086a6bc2cec45aca51314

SHA1
6f946787ec2ef341e16cf4169b0d632d4605bc90

SHA256
02b867efe5aef3ca7596e1134c699510d2c226aabd85cce9a8d9ba61865fce73

SHA512
82964ebab9f67c2144667345e71b9d347aa042fac3c16aaae231212a29b886eff84137cecd7a9fc94c9291bd9821aef4aae96fc47322c2177fafbca2903c5fb5

Download Submit
\Windows\SysWOW64\Ebmgcohn.exe

Filesize
59KB

MD5
ba4c38131f9dd4a7a49229e1cb41e905

SHA1
f71a8f6a27936f4c781d8ab6966a58ed26d7a1fb

SHA256
a4e47431cab2c91745f81a1aa76cba5b89109c5907ece006ccedecdbccce6f3d

SHA512
2c37011e30b3566a4952cc64d59ce3af7f7cf025c3efdd8a7413bc435301dedc605edc3c27a9dfaf9cde2c8f93240578638e18e156b42d1c7de6c7efe5db46f2

Download Submit
\Windows\SysWOW64\Egllae32.exe

Filesize
59KB

MD5
9a160353324c05799f0f054ff357a2fd

SHA1
4a8abd14a9f0a99e4514669b76d949e9dc64778a

SHA256
e07b3d1e4996a7c4ac8a990b426cf6429301aefc0f5dcd0f63b70350ab9d88a5

SHA512
78d9e5703ccdfc0d16a7ad8528640dacc213cc5e31c625cfece5dbb64ac8f329d9637cd16423652d310d75232ed2e18f4f620d9ee105d39b6b9f8366060e3b3a

Download Submit
\Windows\SysWOW64\Ekelld32.exe

Filesize
59KB

MD5
6752872554977e36087588031dcffed4

SHA1
c511279694385c493bc7da111b5e8e47a3c5cf7b

SHA256
a8b1181387aaf65d3a5ce6e2e76c28e66f87374c2f4a5a9ce7208e7040a4c233

SHA512
d03ef4e3296100128cc2eb2172ed7620148a63734fd6c470fcecab3c66719a01d25a857ee9dde97d37a74ae32010a9ea5acc66ee91587e1a5fda035b9e2b0b3a

Download Submit
\Windows\SysWOW64\Emieil32.exe

Filesize
59KB

MD5
e1c1c0475f5a9ac5bc4759b1fc469676

SHA1
971ded045ba1adce5fcc63c746c2e46a3c6d41a2

SHA256
0388e91920c646756350cc66b164d1dab892e09bae2d4af65985009678a86944

SHA512
7db7c6ef74160d85c05811956820fa902e38620fb9e8905c218627349b8ac3c36cdea8351bd67ad5dd0b1b9692e7e0039811c3c4aaf95e9d2b54f7b7486ffbbc

Download Submit
\Windows\SysWOW64\Endhhp32.exe

Filesize
59KB

MD5
191160a1a67604106fe711b6d54f687f

SHA1
a29a16e991f80c722845ce85a262264392eddd18

SHA256
286debab640336f1093f00094cd78886d8a1f587124211b27c15de366fab9546

SHA512
08a70e4a369607e3b4169822e94de697e5f1dd8799ae52d45a8ef8b048547238e7ddc649af1acf0e3d29d4e4f746e2e066972d6f07813cfb7885a36b1901f24c

Download Submit
memory/296-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/296-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/296-234-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/536-92-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/536-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/884-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1264-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-102-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/1472-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1472-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-227-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1476-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1476-226-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1552-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1552-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1712-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1732-283-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1732-284-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1732-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1908-182-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/1908-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2012-289-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-67-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2124-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2160-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-209-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2276-215-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/2472-6-0x00000000002E0000-0x0000000000314000-memory.dmp

Filesize
208KB

Download
memory/2472-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2472-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-285-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-53-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2584-65-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2672-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-256-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2688-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-25-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2744-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2764-172-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2764-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2816-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3020-195-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/3020-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads