f2a107388c9f8f1176d5cd59d600d544f06199ed02e8bc735fbac262c1aaae33

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b85c81f61f955c17ce2e34c11d648240N.exe
Size

96KB
MD5

b85c81f61f955c17ce2e34c11d648240
SHA1

b8341ec3d97fc944956239075c7652acfcc59712
SHA256

f2a107388c9f8f1176d5cd59d600d544f06199ed02e8bc735fbac262c1aaae33
SHA512

c36ed5d8e8fd499ddb11387d335ce8dee13b8fb7153cabcba7eaf920785b0a642fe6ee24930ad665e747132d3c77446e6265e8927ebf24d8694c373afe45f821
SSDEEP

1536:IfIbj6tbTNb2Ha0olTp2LysBMu/HCmiDcg3MZRP3cEW3AE:tbj6vj0yTiya6miEo

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgiaemic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fncibg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcbnpnme.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b85c81f61f955c17ce2e34c11d648240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggepalof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ggccllai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdiakp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enopghee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egegjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b85c81f61f955c17ce2e34c11d648240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gqkhda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnmlhf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enopghee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Egbken32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fclhpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gnohnffc.exe

Executes dropped EXE 27 IoCs

pid	Process
4720	Egbken32.exe
796	Ejagaj32.exe
4932	Ecikjoep.exe
1192	Egegjn32.exe
2312	Enopghee.exe
2316	Fclhpo32.exe
1516	Fnalmh32.exe
3280	Fdkdibjp.exe
1108	Fgiaemic.exe
1088	Fncibg32.exe
720	Fcpakn32.exe
4340	Fjjjgh32.exe
4716	Fqdbdbna.exe
4640	Fcbnpnme.exe
3288	Fnhbmgmk.exe
2684	Fdbkja32.exe
632	Fklcgk32.exe
4076	Fnjocf32.exe
928	Ggccllai.exe
1844	Gnmlhf32.exe
3772	Gqkhda32.exe
4332	Ggepalof.exe
1944	Gnohnffc.exe
952	Gqnejaff.exe
4100	Gdiakp32.exe
1500	Gjficg32.exe
4548	Gbmadd32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Ejagaj32.exe
File opened for modification	C:\Windows\SysWOW64\Egegjn32.exe	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Enopghee.exe	Egegjn32.exe
File created	C:\Windows\SysWOW64\Ppkjigdd.dll	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Begndj32.dll	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Fqdbdbna.exe	Fjjjgh32.exe
File created	C:\Windows\SysWOW64\Ecikjoep.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Pbfbkfaa.dll	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Okkbgpmc.dll	Fdkdibjp.exe
File created	C:\Windows\SysWOW64\Ggepalof.exe	Gqkhda32.exe
File created	C:\Windows\SysWOW64\Fnhbmgmk.exe	Fcbnpnme.exe
File created	C:\Windows\SysWOW64\Mcqelbcc.dll	Ggccllai.exe
File created	C:\Windows\SysWOW64\Egbken32.exe	b85c81f61f955c17ce2e34c11d648240N.exe
File created	C:\Windows\SysWOW64\Nhbjnc32.dll	b85c81f61f955c17ce2e34c11d648240N.exe
File created	C:\Windows\SysWOW64\Jhhnfh32.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fnalmh32.exe	Fclhpo32.exe
File created	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Gbjlkd32.dll	Fqdbdbna.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Ejagaj32.exe
File created	C:\Windows\SysWOW64\Fncibg32.exe	Fgiaemic.exe
File created	C:\Windows\SysWOW64\Gqkhda32.exe	Gnmlhf32.exe
File created	C:\Windows\SysWOW64\Gnohnffc.exe	Ggepalof.exe
File opened for modification	C:\Windows\SysWOW64\Gnohnffc.exe	Ggepalof.exe
File created	C:\Windows\SysWOW64\Ckfaapfi.dll	Gnohnffc.exe
File created	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File created	C:\Windows\SysWOW64\Lhlgjo32.dll	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Gnmlhf32.exe	Ggccllai.exe
File opened for modification	C:\Windows\SysWOW64\Egbken32.exe	b85c81f61f955c17ce2e34c11d648240N.exe
File created	C:\Windows\SysWOW64\Ejagaj32.exe	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Ejagaj32.exe	Egbken32.exe
File created	C:\Windows\SysWOW64\Fclhpo32.exe	Enopghee.exe
File opened for modification	C:\Windows\SysWOW64\Fclhpo32.exe	Enopghee.exe
File created	C:\Windows\SysWOW64\Fcpakn32.exe	Fncibg32.exe
File created	C:\Windows\SysWOW64\Fjjjgh32.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Gajlgpic.dll	Fjjjgh32.exe
File opened for modification	C:\Windows\SysWOW64\Fdbkja32.exe	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Ggccllai.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Ohgohiia.dll	Ggepalof.exe
File created	C:\Windows\SysWOW64\Eclbio32.dll	Enopghee.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Lifcnk32.dll	Gnmlhf32.exe
File opened for modification	C:\Windows\SysWOW64\Fnalmh32.exe	Fclhpo32.exe
File opened for modification	C:\Windows\SysWOW64\Fjjjgh32.exe	Fcpakn32.exe
File created	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File opened for modification	C:\Windows\SysWOW64\Gbmadd32.exe	Gjficg32.exe
File created	C:\Windows\SysWOW64\Hjmgbm32.dll	Gjficg32.exe
File created	C:\Windows\SysWOW64\Egegjn32.exe	Ecikjoep.exe
File opened for modification	C:\Windows\SysWOW64\Fcbnpnme.exe	Fqdbdbna.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fdbkja32.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fdbkja32.exe
File created	C:\Windows\SysWOW64\Ggccllai.exe	Fnjocf32.exe
File created	C:\Windows\SysWOW64\Gnmlhf32.exe	Ggccllai.exe
File created	C:\Windows\SysWOW64\Fdkdibjp.exe	Fnalmh32.exe
File opened for modification	C:\Windows\SysWOW64\Fncibg32.exe	Fgiaemic.exe
File opened for modification	C:\Windows\SysWOW64\Fcpakn32.exe	Fncibg32.exe
File opened for modification	C:\Windows\SysWOW64\Gqnejaff.exe	Gnohnffc.exe
File opened for modification	C:\Windows\SysWOW64\Gdiakp32.exe	Gqnejaff.exe
File created	C:\Windows\SysWOW64\Emjnfn32.dll	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Qmofmb32.dll	Egbken32.exe
File opened for modification	C:\Windows\SysWOW64\Fdkdibjp.exe	Fnalmh32.exe
File created	C:\Windows\SysWOW64\Hmcipf32.dll	Fnhbmgmk.exe
File opened for modification	C:\Windows\SysWOW64\Gjficg32.exe	Gdiakp32.exe
File created	C:\Windows\SysWOW64\Kfkklk32.dll	Gqkhda32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	4548	WerFault.exe	119

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcpakn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fqdbdbna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggccllai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgiaemic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ggepalof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqnejaff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ejagaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fclhpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcbnpnme.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gqkhda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enopghee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnalmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjjjgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnjocf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnohnffc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egbken32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fncibg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gjficg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egegjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b85c81f61f955c17ce2e34c11d648240N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fnhbmgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gnmlhf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gbmadd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdkdibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdiakp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdbkja32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ejagaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgiaemic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gjficg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	b85c81f61f955c17ce2e34c11d648240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egbken32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjjlakk.dll"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gajlgpic.dll"	Fjjjgh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gjficg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfbkfaa.dll"	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnhbmgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeigbeb.dll"	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfaapfi.dll"	Gnohnffc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backedki.dll"	Gqnejaff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eclbio32.dll"	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcipf32.dll"	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b85c81f61f955c17ce2e34c11d648240N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enopghee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnalmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfkklk32.dll"	Gqkhda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppkjigdd.dll"	Fnalmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fqdbdbna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Fqdbdbna.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjnc32.dll"	b85c81f61f955c17ce2e34c11d648240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Ejagaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdbkja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fclhpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okkbgpmc.dll"	Fdkdibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fcpakn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnhbmgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fnjocf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ggepalof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b85c81f61f955c17ce2e34c11d648240N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fncibg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcqelbcc.dll"	Ggccllai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjnfn32.dll"	Gdiakp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fnjocf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll"	Gnmlhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Egegjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fjjjgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iolgql32.dll"	Fcbnpnme.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohgohiia.dll"	Ggepalof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdeeipfp.dll"	Fcpakn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fdbkja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gqnejaff.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b85c81f61f955c17ce2e34c11d648240N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Egbken32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgiaemic.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3740 wrote to memory of 4720	3740	b85c81f61f955c17ce2e34c11d648240N.exe	92
PID 3740 wrote to memory of 4720	3740	b85c81f61f955c17ce2e34c11d648240N.exe	92
PID 3740 wrote to memory of 4720	3740	b85c81f61f955c17ce2e34c11d648240N.exe	92
PID 4720 wrote to memory of 796	4720	Egbken32.exe	93
PID 4720 wrote to memory of 796	4720	Egbken32.exe	93
PID 4720 wrote to memory of 796	4720	Egbken32.exe	93
PID 796 wrote to memory of 4932	796	Ejagaj32.exe	94
PID 796 wrote to memory of 4932	796	Ejagaj32.exe	94
PID 796 wrote to memory of 4932	796	Ejagaj32.exe	94
PID 4932 wrote to memory of 1192	4932	Ecikjoep.exe	96
PID 4932 wrote to memory of 1192	4932	Ecikjoep.exe	96
PID 4932 wrote to memory of 1192	4932	Ecikjoep.exe	96
PID 1192 wrote to memory of 2312	1192	Egegjn32.exe	97
PID 1192 wrote to memory of 2312	1192	Egegjn32.exe	97
PID 1192 wrote to memory of 2312	1192	Egegjn32.exe	97
PID 2312 wrote to memory of 2316	2312	Enopghee.exe	98
PID 2312 wrote to memory of 2316	2312	Enopghee.exe	98
PID 2312 wrote to memory of 2316	2312	Enopghee.exe	98
PID 2316 wrote to memory of 1516	2316	Fclhpo32.exe	99
PID 2316 wrote to memory of 1516	2316	Fclhpo32.exe	99
PID 2316 wrote to memory of 1516	2316	Fclhpo32.exe	99
PID 1516 wrote to memory of 3280	1516	Fnalmh32.exe	100
PID 1516 wrote to memory of 3280	1516	Fnalmh32.exe	100
PID 1516 wrote to memory of 3280	1516	Fnalmh32.exe	100
PID 3280 wrote to memory of 1108	3280	Fdkdibjp.exe	101
PID 3280 wrote to memory of 1108	3280	Fdkdibjp.exe	101
PID 3280 wrote to memory of 1108	3280	Fdkdibjp.exe	101
PID 1108 wrote to memory of 1088	1108	Fgiaemic.exe	102
PID 1108 wrote to memory of 1088	1108	Fgiaemic.exe	102
PID 1108 wrote to memory of 1088	1108	Fgiaemic.exe	102
PID 1088 wrote to memory of 720	1088	Fncibg32.exe	103
PID 1088 wrote to memory of 720	1088	Fncibg32.exe	103
PID 1088 wrote to memory of 720	1088	Fncibg32.exe	103
PID 720 wrote to memory of 4340	720	Fcpakn32.exe	104
PID 720 wrote to memory of 4340	720	Fcpakn32.exe	104
PID 720 wrote to memory of 4340	720	Fcpakn32.exe	104
PID 4340 wrote to memory of 4716	4340	Fjjjgh32.exe	105
PID 4340 wrote to memory of 4716	4340	Fjjjgh32.exe	105
PID 4340 wrote to memory of 4716	4340	Fjjjgh32.exe	105
PID 4716 wrote to memory of 4640	4716	Fqdbdbna.exe	106
PID 4716 wrote to memory of 4640	4716	Fqdbdbna.exe	106
PID 4716 wrote to memory of 4640	4716	Fqdbdbna.exe	106
PID 4640 wrote to memory of 3288	4640	Fcbnpnme.exe	107
PID 4640 wrote to memory of 3288	4640	Fcbnpnme.exe	107
PID 4640 wrote to memory of 3288	4640	Fcbnpnme.exe	107
PID 3288 wrote to memory of 2684	3288	Fnhbmgmk.exe	108
PID 3288 wrote to memory of 2684	3288	Fnhbmgmk.exe	108
PID 3288 wrote to memory of 2684	3288	Fnhbmgmk.exe	108
PID 2684 wrote to memory of 632	2684	Fdbkja32.exe	109
PID 2684 wrote to memory of 632	2684	Fdbkja32.exe	109
PID 2684 wrote to memory of 632	2684	Fdbkja32.exe	109
PID 632 wrote to memory of 4076	632	Fklcgk32.exe	110
PID 632 wrote to memory of 4076	632	Fklcgk32.exe	110
PID 632 wrote to memory of 4076	632	Fklcgk32.exe	110
PID 4076 wrote to memory of 928	4076	Fnjocf32.exe	111
PID 4076 wrote to memory of 928	4076	Fnjocf32.exe	111
PID 4076 wrote to memory of 928	4076	Fnjocf32.exe	111
PID 928 wrote to memory of 1844	928	Ggccllai.exe	112
PID 928 wrote to memory of 1844	928	Ggccllai.exe	112
PID 928 wrote to memory of 1844	928	Ggccllai.exe	112
PID 1844 wrote to memory of 3772	1844	Gnmlhf32.exe	113
PID 1844 wrote to memory of 3772	1844	Gnmlhf32.exe	113
PID 1844 wrote to memory of 3772	1844	Gnmlhf32.exe	113
PID 3772 wrote to memory of 4332	3772	Gqkhda32.exe	114

C:\Users\Admin\AppData\Local\Temp\b85c81f61f955c17ce2e34c11d648240N.exe
"C:\Users\Admin\AppData\Local\Temp\b85c81f61f955c17ce2e34c11d648240N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3740
- C:\Windows\SysWOW64\Egbken32.exe
  C:\Windows\system32\Egbken32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\Ejagaj32.exe
    C:\Windows\system32\Ejagaj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\Windows\SysWOW64\Ecikjoep.exe
      C:\Windows\system32\Ecikjoep.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4932
    - - C:\Windows\SysWOW64\Egegjn32.exe
        
        C:\Windows\system32\Egegjn32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\SysWOW64\Enopghee.exe
        
        C:\Windows\system32\Enopghee.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\SysWOW64\Fclhpo32.exe
        
        C:\Windows\system32\Fclhpo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\SysWOW64\Fnalmh32.exe
        
        C:\Windows\system32\Fnalmh32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Fdkdibjp.exe
        
        C:\Windows\system32\Fdkdibjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Fgiaemic.exe
        
        C:\Windows\system32\Fgiaemic.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\SysWOW64\Fncibg32.exe
        
        C:\Windows\system32\Fncibg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\SysWOW64\Fcpakn32.exe
        
        C:\Windows\system32\Fcpakn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Fjjjgh32.exe
        
        C:\Windows\system32\Fjjjgh32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\SysWOW64\Fqdbdbna.exe
        
        C:\Windows\system32\Fqdbdbna.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Fcbnpnme.exe
        
        C:\Windows\system32\Fcbnpnme.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Fnhbmgmk.exe
        
        C:\Windows\system32\Fnhbmgmk.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\SysWOW64\Fdbkja32.exe
        
        C:\Windows\system32\Fdbkja32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2684
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Fnjocf32.exe
        
        C:\Windows\system32\Fnjocf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Ggccllai.exe
        
        C:\Windows\system32\Ggccllai.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\SysWOW64\Gnmlhf32.exe
        
        C:\Windows\system32\Gnmlhf32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\SysWOW64\Gqkhda32.exe
        
        C:\Windows\system32\Gqkhda32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Windows\SysWOW64\Ggepalof.exe
        
        C:\Windows\system32\Ggepalof.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Gnohnffc.exe
        
        C:\Windows\system32\Gnohnffc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\Gqnejaff.exe
        
        C:\Windows\system32\Gqnejaff.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\Gdiakp32.exe
        
        C:\Windows\system32\Gdiakp32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Gjficg32.exe
        
        C:\Windows\system32\Gjficg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Gbmadd32.exe
        
        C:\Windows\system32\Gbmadd32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 400
        29⤵
        Program crash
        
        PID:2252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4548 -ip 4548
1⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1296,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
96KB

MD5
0d0e5e394c3f609ade384112bd7853ae

SHA1
58c76dd9707adc73a6a3bd03716faa829aefd842

SHA256
1a987c082b63740069ad7b167160bf34efca04ff03d1840b4a20d795516a9396

SHA512
ca5f0bc9cac6c362936730cc0ccff25b1d166046c17923e5905c4291669d8edcd4ec97403c70602a73316e95ad1f1a9802d52e94006c7b9a0d74e8b8369df907

Download Submit
C:\Windows\SysWOW64\Egbken32.exe

Filesize
96KB

MD5
3df3709556a3f7c0fdb5f6fed0067386

SHA1
8939f9aac7f9cd4ebddf37d101d4390899e2a3f7

SHA256
d16d9f2795675eb496b3d2c4912adfe46b2c8a92d345a87f7923af39c84e914b

SHA512
6803934b8fd515ec9ace32f8a7de6582a92f2a80cf540e374d8f34ad8a6bbb28e1ed94c8b22e4a2adcdb45cd8e2db28c14252d4c9ed85605ae367c3c9a7dd90d

Download Submit
C:\Windows\SysWOW64\Egegjn32.exe

Filesize
96KB

MD5
07287b46a861bbbef816274a410d6d5b

SHA1
166b2e3bd85e80334bd16e309b244e63792426f2

SHA256
64c2c31ca2cd407c9717739644ef751cd235c9bc731d386b9f0656dd9ea49c0f

SHA512
0fd00d5edf1fc59cdce2c1bc262fcc92c1158cbbc297fabab90a67ff0f50cbffbec90d511a7ef8e2aa8baa25fb759811115aede7d94b6df201b12cf0e1682bee

Download Submit
C:\Windows\SysWOW64\Ejagaj32.exe

Filesize
96KB

MD5
964ea799b5e07ca6851d137c81049b34

SHA1
61fe2361290a054ca595667fa93b732bec6536b8

SHA256
e81b3b8192a07896efcba8d6e339ddba06abbc9bfa4717e13169cccb8e31e20c

SHA512
8ce830876b40699874c3b70248bad7a758c1b959445d0e6d9fcca941dca4aa1ef9b042c2c4654c299d32fcadb166cbd94d9e2decb4b9f62d984303c6f1418573

Download Submit
C:\Windows\SysWOW64\Enopghee.exe

Filesize
96KB

MD5
3e2c74d40a3462143f6c1deed8ab530f

SHA1
792686375d36cc53c9757abd89d812144dcd7418

SHA256
a1560f9ef08267455792810c58cacc929f67619ddb28e6c18378d26b2119f9e4

SHA512
e6742aed6953a76c61cf1fb749f689fb2254066cbf07d1784d2bd21c3ee79c9b15ede8d2db6678204b834e6d2bd5d6ec66a477e37d9733637d8c46a800df2090

Download Submit
C:\Windows\SysWOW64\Fcbnpnme.exe

Filesize
96KB

MD5
1c195acba9bcb67dff0ebdbe73302073

SHA1
de1398e5edb96ee22ee8076356dd04c40551920e

SHA256
a9dae00469209067c3a024641174d861f8d1c6c17fd6e2e0e472074dc6198ccc

SHA512
af1c6b65f3ed820c76081a52dc9a0e15f1bb51d659c252f2f6327ac6a0e16e784b60d0ce94bd9770b74f86bad59311bbfe9a04cd5c306edcfd10925f0affd182

Download Submit
C:\Windows\SysWOW64\Fclhpo32.exe

Filesize
96KB

MD5
46faf2c4a4ef256dcdb4dd63df5cd84d

SHA1
ecd5c6220fac0bfda8c318c155567a2a01cf7245

SHA256
8106fc5408cb52699216ab7031423be29b35b57e0c7e07ca4706c3df097acd20

SHA512
042a747c9dd916545b8d14f560eb96652f8e1883f1042a0f5364d3eceee67ff36cb9d93ad0b28a38ea471458df295a70421916aa81d1f8085a83aad818405860

Download Submit
C:\Windows\SysWOW64\Fcpakn32.exe

Filesize
96KB

MD5
576899722fd6da83334c6fdea80dd035

SHA1
8ede0f8acb5f1a46143adbe784caadaf4dc278ec

SHA256
b5726985d7449c4581c41ecd4f2be9a784ed60d7b1af0e856518075dcfa856ed

SHA512
065bc44fb999ace8d31c7d8dc00e6918886f23206950e3a4753d7658bc527bbe1c6bf081138b58cebff671757ca8e2338d88f51b440f4cf3efd350707b869206

Download Submit
C:\Windows\SysWOW64\Fdbkja32.exe

Filesize
96KB

MD5
24c41d0c38a3be0bc853a9e31e2d5481

SHA1
b29cfed843229f461566acebe3c1edbf30841017

SHA256
294c3a4c0e3462c0c6842b18100485226cf83b1ec8d404642a532e78069777f7

SHA512
af0f8419eefe98b37ba42b78e8dcf3987acf862efdba746a3da7678f5f33dd398b62d8a11cdd39d0ff092cc1c70b0719a821a6918414af9521b3402d2d1b3d8f

Download Submit
C:\Windows\SysWOW64\Fdkdibjp.exe

Filesize
96KB

MD5
c0279d8a5b6e2c5bf8d587891f3c2467

SHA1
2ddf3a451bb9e2ac20b34cc161bb0a6ac11e877e

SHA256
71586920656bd6c1a9dae291f9104841ccee87f62fd22fcfa000fcbbdf06bb59

SHA512
fcffabf85b1dc701c41b2fad4bdaf231186f1d5fa974eaefe49f027cbaad891263173e4f59558dea6551c791dbd32225f4ff59431ce3c07aaa42110be06ff5f5

Download Submit
C:\Windows\SysWOW64\Fgiaemic.exe

Filesize
96KB

MD5
11d1f1111ae260f3a3ab3d171a6bfb4b

SHA1
2e29f02da3e294f4967cb586bfb11a34e496337c

SHA256
c81a67453846815912cc4d10e83fb8dd352c5cc7245429b4afdcb416c257a956

SHA512
3c06ed07f0e75c5b8522e8f01c0ab8a443158673e578faad940f6eb586cdc170e5d0a7a543e0701ed8e98655a6c165eb88a71a293276135f3d6d2ce6164eb950

Download Submit
C:\Windows\SysWOW64\Fjjjgh32.exe

Filesize
96KB

MD5
70d764f03b97466e346b8b7af81b1287

SHA1
ded6667b6d1ba806df9d7c68329cfaf20a3e3c29

SHA256
ce2e2304ff8b8b35bf538de16f048efe6505e85a19a9d7120c19aaa3321047e4

SHA512
463b0a49b36b35bbd05c51d61666bfc045c1b28804826f668eb5531942c646dbbbb196324aaf927d0917b1d889ecfc75651c6ceb43c5be3c071b9c7e4de1467c

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
96KB

MD5
4413f18a6342c547b5ae06bdc675f391

SHA1
0612aede04e3c852b83a0d19b60c5a767d4ae963

SHA256
4d87af176382da612257d9854a53985d05476839457fb73504256f83659aa580

SHA512
09f3b009efecd82023f007c2990607637dc105ee8875ce93847787c329a8f0f4e25c44b91e14f2d998070acdb7a71e58d45748b60c38b93b5325be3e5c8f216f

Download Submit
C:\Windows\SysWOW64\Fnalmh32.exe

Filesize
96KB

MD5
708afe326140ddee48be4e81d9ee10b5

SHA1
6f17f47bb948823f6f7f368e441cd66054dccc87

SHA256
f6074f5f23bab935256ee737f260b7317b5efaeded44203e02761e00f20df92a

SHA512
45ae4a1ece6970f99774c5f69b8d9050e1b2b824faa0e5e117fb90aaf9489bd99080a7aeff827b2c1c1b7dc17bb93ab66940f0c89c9c0b2367362980579ff33b

Download Submit
C:\Windows\SysWOW64\Fncibg32.exe

Filesize
96KB

MD5
d4f7d562dc7eb8bc09a3ed82f5c95321

SHA1
25c92f18b6dfa11919b7f039cb9ced6d1db9378e

SHA256
b1cef7e2c25aa7b75eb77b710933561497b7e53de087d01f44d976f9c531d450

SHA512
78002462af77faba5cde9e304a8fefa124b7fff3fc4e8d28518c362a188ce77df4d32a29abd54e2622efa0367a7ecd85e15b540ea93b393cff712075d94a3e0e

Download Submit
C:\Windows\SysWOW64\Fnhbmgmk.exe

Filesize
96KB

MD5
a4f23a1889b2a69a21ecded24008d859

SHA1
4ec7c9e6b58d1df9a1f70d5655dccfb88c361809

SHA256
a422a732dda0671c9bb9db6931b7bcd23177a761dd3e69d7849e5d7c0403495c

SHA512
896e9c8a2bea62caac92f19708533a0a1ebcc8acf1930623438211e473630841e473d3de72913c53df4f29de287a34d382bdc83f1c7179e19c4afcbd0d23d5ad

Download Submit
C:\Windows\SysWOW64\Fnjocf32.exe

Filesize
96KB

MD5
5a9367563154d11afedf5831ee779091

SHA1
f83a6b4c621a78df65ceb5dca4ca629e7b7b6b30

SHA256
80c920b85b669d25c70fe12d9d16f15813a9ce052127bff28e34d66a1f176745

SHA512
1212c0ffddd069ea34b06de71cb46071a90fba27e210ed384b3fff1ff9b5002a730d75433b59d61b5a30532d2822b6ca75222d1ca92469cebac5a93b5ed1c108

Download Submit
C:\Windows\SysWOW64\Fqdbdbna.exe

Filesize
96KB

MD5
d31357cfe584e409a972be092805c714

SHA1
e1ab4f3d6824e5baed9f9e4d072061596afde9d6

SHA256
e0e57e337468faaa12af9f73a31b06c3a18be75919ce1e425125795b2b435c28

SHA512
178b53a115a7b81d238bd41e4d57e0b2a6f9116d0a17e57c5e7ebbbf68a08e87ba8edd163b4a61645122980a149408795d10ca99ef3d52e518fda38b5f989be9

Download Submit
C:\Windows\SysWOW64\Gbmadd32.exe

Filesize
96KB

MD5
08c492fc564b8e82d1551d532f73884d

SHA1
dbe6c7a6d33a52c19a4f88e910eb71ec631dbe28

SHA256
2c8662acd400419a9c55f494821619e27392526afc15f3ea20fcf9801bee1f7e

SHA512
ef1fdac63b7353487be8542613f52013fefb7f8acdfbf2f9762adec827031088bcdbe44bc32b5aed1bdbd35b8ea38370de2a7f39bb1614e11f97b4e2facef239

Download Submit
C:\Windows\SysWOW64\Gdiakp32.exe

Filesize
96KB

MD5
e944e881fa3229c89babd7537651f272

SHA1
9f083640d4788bc48f5bd749298126293a12c3e0

SHA256
dd8dc33aae20fbf3a7c55773df124a881b78170d192c326b3c092116f974403b

SHA512
c4fca66f132ece5de3bb8f2635512ade50ad26800d1a685453437a88136faf7027118afa3af8ceeb852f9c7b56d5db30c7acfc531ff25373d9a78396355b7ea4

Download Submit
C:\Windows\SysWOW64\Ggccllai.exe

Filesize
96KB

MD5
921aa83c8353890d6d15ed69669944f3

SHA1
56b69c101577487ec629ab0df761135f0f649e2b

SHA256
a87e063c0de3604e1fdc574dc1432ced9d842a4d420bebec055f1faff1602413

SHA512
e48074abde593cc71336c68d0c09d8ff7841e22fba39dcaeecda6c31404b88fb926475972c7efb237a5ce5cd1ffbfd6a726028293c0b3687a72ae0e1b5afa188

Download Submit
C:\Windows\SysWOW64\Ggepalof.exe

Filesize
96KB

MD5
66095813065200bdd1291d92b2a54ada

SHA1
03b6af17ea9f0d63679a53d5c528d29acd2040cc

SHA256
6362cb39213d6748d54b8cf464e18bb60ea2b542e88d963e1be30be827412c2f

SHA512
74b1e7d734a328aeb3bc54a446f3023efd28c50a492fbd113368a35d473dd77a6617b7d7020d3a52a7ceff9d2968e8e079ab86323b98b477da27e66839397de8

Download Submit
C:\Windows\SysWOW64\Gjficg32.exe

Filesize
96KB

MD5
56913f1591ce15e0f73f76ace2087063

SHA1
4635de9562a895cb233ffd0d0dc6cb6cbd0e3508

SHA256
eaaddfec557d3ef74ab742b7748c6438520f6eed96359a63c1c1184cd41d3639

SHA512
1f8f51e7daff193aa57cd4358fe7f3d9bf6b22597cefda79bf812f71b83047a1cf8f7acf8c1b091e6006ea6e905f482a12b073f75cf2f9887dcdec9f76fe8644

Download Submit
C:\Windows\SysWOW64\Gnmlhf32.exe

Filesize
96KB

MD5
745abc4697abdb3b68ff4f3de5af0d00

SHA1
68086be8ef05375c5a1cb95dd6b2930ba396a74e

SHA256
6b134bb6e6ff01e9f73a4152c7c07d8e5a4ad52d3e38983c2be325932bfe4dea

SHA512
31d3677a6ae55703d914f70ce53b4c5ac4d6358d759ca3797e0b5f029504bdd33e24d27d317cc104c0fb57c166fd686aa396de8771655af39be869128b32a095

Download Submit
C:\Windows\SysWOW64\Gnohnffc.exe

Filesize
96KB

MD5
e211793e616af263e806b6c83a2fc8cb

SHA1
6d96558e64fab575777e4cd07ec33a3eb6ff46fc

SHA256
a56dceb4c7b4230e913a03f6da08b89c6958ec5dff0bb5941f99f114a60ce47c

SHA512
e830338f9f643634b596e6daa147d5523f26c9d7441f1bc40706f85e26775186b7b9347f03e44d464860c2328849c02f61b931b132dacbba349d84e0007e2dcb

Download Submit
C:\Windows\SysWOW64\Gqkhda32.exe

Filesize
96KB

MD5
0d7f6777b4c3e99970103bf8b971663a

SHA1
be6716a8350295a566defb80d69c3a91ff532d90

SHA256
bf0a664c92c256b88ea621b5d6f3948950b42a6e92d891e9580e031de9678a6d

SHA512
757775f632508c03ee36aba851883a60799b5b4b904cd06d756731d2885e7db79fa8370a49c36c5551516217b69277ed9167b4b3abbea53ccfca0f766416616a

Download Submit
C:\Windows\SysWOW64\Gqnejaff.exe

Filesize
96KB

MD5
483769f6b92167859c72d233ab829dc2

SHA1
e21590510d68160eeae97be09a4ac67b51068e33

SHA256
ad5e800525a55c21f89bd4163bc295ecb16cbab2fdf872a093ffa88c7aab5505

SHA512
28d92fa5d3626ac1908396eca02fbced03cfcf8c5021ea8193036cfdb54973551ad7a808b0bf3992c018a79f4f78b63a3f9054e3efb1d2b6d2c2ffaef8e334e6

Download Submit
memory/632-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/720-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/952-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1088-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1108-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-37-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1844-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1944-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-258-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2316-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2684-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3280-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3288-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3740-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3772-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4076-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-177-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4340-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4716-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4720-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads