0be26e9f9836789e2a0032241747bca737da094aebe05428e7a6c71e943ca132

Analysis

max time kernel
33s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
06/08/2024, 19:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc72a1decd73a4d2817ff2739cddb050N.exe
Size

80KB
MD5

dc72a1decd73a4d2817ff2739cddb050
SHA1

dac25c1730834fb756833288e63535d8857338c9
SHA256

0be26e9f9836789e2a0032241747bca737da094aebe05428e7a6c71e943ca132
SHA512

aebce661792c54ab269f341c0e46b69d62178a680b1855bc5f5cab256ee153a1007781488252f8b169b441a5258e9dd1aff49daf978c7eab414f13df1d365204
SSDEEP

1536:5iRigI/AHYeipwjwunCpjvO+21uzDfWqdMVrlEFtyb7IYOOqw4Tv:AMA4BEwunruzTWqAhELy1MTTv

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpdqlkhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkgdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djhldahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Epgabhdg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlncdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eamgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eapcjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eapcjo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flnnfllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	dc72a1decd73a4d2817ff2739cddb050N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djhldahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Enlncdio.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkgdbh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feklja32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Epgabhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feklja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Flnnfllf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dc72a1decd73a4d2817ff2739cddb050N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eamgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpdqlkhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ffeoid32.exe

Executes dropped EXE 14 IoCs

pid	Process
2172	Djhldahb.exe
2732	Epgabhdg.exe
2872	Enlncdio.exe
2320	Eamgeo32.exe
2796	Eapcjo32.exe
2640	Fpdqlkhe.exe
2604	Fpgmak32.exe
2480	Flnnfllf.exe
2044	Ffeoid32.exe
2820	Feklja32.exe
2960	Gkgdbh32.exe
612	Gkjahg32.exe
1936	Gmkjjbhg.exe
2192	Gmmgobfd.exe

Loads dropped DLL 32 IoCs

pid	Process
2508	dc72a1decd73a4d2817ff2739cddb050N.exe
2508	dc72a1decd73a4d2817ff2739cddb050N.exe
2172	Djhldahb.exe
2172	Djhldahb.exe
2732	Epgabhdg.exe
2732	Epgabhdg.exe
2872	Enlncdio.exe
2872	Enlncdio.exe
2320	Eamgeo32.exe
2320	Eamgeo32.exe
2796	Eapcjo32.exe
2796	Eapcjo32.exe
2640	Fpdqlkhe.exe
2640	Fpdqlkhe.exe
2604	Fpgmak32.exe
2604	Fpgmak32.exe
2480	Flnnfllf.exe
2480	Flnnfllf.exe
2044	Ffeoid32.exe
2044	Ffeoid32.exe
2820	Feklja32.exe
2820	Feklja32.exe
2960	Gkgdbh32.exe
2960	Gkgdbh32.exe
612	Gkjahg32.exe
612	Gkjahg32.exe
1936	Gmkjjbhg.exe
1936	Gmkjjbhg.exe
1124	WerFault.exe
1124	WerFault.exe
1124	WerFault.exe
1124	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ahjlfmkh.dll	Fpgmak32.exe
File opened for modification	C:\Windows\SysWOW64\Ffeoid32.exe	Flnnfllf.exe
File opened for modification	C:\Windows\SysWOW64\Djhldahb.exe	dc72a1decd73a4d2817ff2739cddb050N.exe
File created	C:\Windows\SysWOW64\Eijhke32.dll	Djhldahb.exe
File created	C:\Windows\SysWOW64\Enlncdio.exe	Epgabhdg.exe
File created	C:\Windows\SysWOW64\Eamgeo32.exe	Enlncdio.exe
File opened for modification	C:\Windows\SysWOW64\Eamgeo32.exe	Enlncdio.exe
File created	C:\Windows\SysWOW64\Eapcjo32.exe	Eamgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gkjahg32.exe	Gkgdbh32.exe
File created	C:\Windows\SysWOW64\Epgabhdg.exe	Djhldahb.exe
File created	C:\Windows\SysWOW64\Gkgdbh32.exe	Feklja32.exe
File created	C:\Windows\SysWOW64\Mainpc32.dll	Enlncdio.exe
File created	C:\Windows\SysWOW64\Fpgmak32.exe	Fpdqlkhe.exe
File opened for modification	C:\Windows\SysWOW64\Flnnfllf.exe	Fpgmak32.exe
File created	C:\Windows\SysWOW64\Akinoefk.dll	Flnnfllf.exe
File created	C:\Windows\SysWOW64\Lpdabcij.dll	Ffeoid32.exe
File opened for modification	C:\Windows\SysWOW64\Enlncdio.exe	Epgabhdg.exe
File created	C:\Windows\SysWOW64\Hplbbh32.dll	Eapcjo32.exe
File created	C:\Windows\SysWOW64\Ppmlkl32.dll	Fpdqlkhe.exe
File opened for modification	C:\Windows\SysWOW64\Gkgdbh32.exe	Feklja32.exe
File created	C:\Windows\SysWOW64\Gkiiie32.dll	Gkjahg32.exe
File opened for modification	C:\Windows\SysWOW64\Gmmgobfd.exe	Gmkjjbhg.exe
File created	C:\Windows\SysWOW64\Idlfno32.dll	Gmkjjbhg.exe
File created	C:\Windows\SysWOW64\Djhldahb.exe	dc72a1decd73a4d2817ff2739cddb050N.exe
File created	C:\Windows\SysWOW64\Nlgqod32.dll	dc72a1decd73a4d2817ff2739cddb050N.exe
File opened for modification	C:\Windows\SysWOW64\Epgabhdg.exe	Djhldahb.exe
File created	C:\Windows\SysWOW64\Fpdqlkhe.exe	Eapcjo32.exe
File created	C:\Windows\SysWOW64\Feklja32.exe	Ffeoid32.exe
File created	C:\Windows\SysWOW64\Gmmgobfd.exe	Gmkjjbhg.exe
File opened for modification	C:\Windows\SysWOW64\Fpgmak32.exe	Fpdqlkhe.exe
File created	C:\Windows\SysWOW64\Gkjahg32.exe	Gkgdbh32.exe
File opened for modification	C:\Windows\SysWOW64\Gmkjjbhg.exe	Gkjahg32.exe
File opened for modification	C:\Windows\SysWOW64\Fpdqlkhe.exe	Eapcjo32.exe
File created	C:\Windows\SysWOW64\Ffeoid32.exe	Flnnfllf.exe
File created	C:\Windows\SysWOW64\Kiopjgdl.dll	Feklja32.exe
File created	C:\Windows\SysWOW64\Dlgind32.dll	Gkgdbh32.exe
File created	C:\Windows\SysWOW64\Gmkjjbhg.exe	Gkjahg32.exe
File created	C:\Windows\SysWOW64\Jkjigh32.dll	Epgabhdg.exe
File opened for modification	C:\Windows\SysWOW64\Eapcjo32.exe	Eamgeo32.exe
File created	C:\Windows\SysWOW64\Epggabhd.dll	Eamgeo32.exe
File created	C:\Windows\SysWOW64\Flnnfllf.exe	Fpgmak32.exe
File opened for modification	C:\Windows\SysWOW64\Feklja32.exe	Ffeoid32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1124	2192	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Epgabhdg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpdqlkhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flnnfllf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmmgobfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djhldahb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feklja32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkgdbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fpgmak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ffeoid32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gkjahg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gmkjjbhg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc72a1decd73a4d2817ff2739cddb050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlncdio.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eamgeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eapcjo32.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djhldahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjlfmkh.dll"	Fpgmak32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdabcij.dll"	Ffeoid32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkgdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mainpc32.dll"	Enlncdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlfno32.dll"	Gmkjjbhg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijhke32.dll"	Djhldahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eamgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppmlkl32.dll"	Fpdqlkhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	dc72a1decd73a4d2817ff2739cddb050N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djhldahb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Epgabhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Flnnfllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkiiie32.dll"	Gkjahg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Enlncdio.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpdqlkhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akinoefk.dll"	Flnnfllf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkjahg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpgmak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Feklja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	dc72a1decd73a4d2817ff2739cddb050N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	dc72a1decd73a4d2817ff2739cddb050N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll"	dc72a1decd73a4d2817ff2739cddb050N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigh32.dll"	Epgabhdg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eapcjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hplbbh32.dll"	Eapcjo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gmkjjbhg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Enlncdio.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eamgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Flnnfllf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ffeoid32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgind32.dll"	Gkgdbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkgdbh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feklja32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiopjgdl.dll"	Feklja32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	dc72a1decd73a4d2817ff2739cddb050N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dc72a1decd73a4d2817ff2739cddb050N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Epgabhdg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epggabhd.dll"	Eamgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eapcjo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fpdqlkhe.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2172	2508	dc72a1decd73a4d2817ff2739cddb050N.exe	29
PID 2508 wrote to memory of 2172	2508	dc72a1decd73a4d2817ff2739cddb050N.exe	29
PID 2508 wrote to memory of 2172	2508	dc72a1decd73a4d2817ff2739cddb050N.exe	29
PID 2508 wrote to memory of 2172	2508	dc72a1decd73a4d2817ff2739cddb050N.exe	29
PID 2172 wrote to memory of 2732	2172	Djhldahb.exe	30
PID 2172 wrote to memory of 2732	2172	Djhldahb.exe	30
PID 2172 wrote to memory of 2732	2172	Djhldahb.exe	30
PID 2172 wrote to memory of 2732	2172	Djhldahb.exe	30
PID 2732 wrote to memory of 2872	2732	Epgabhdg.exe	31
PID 2732 wrote to memory of 2872	2732	Epgabhdg.exe	31
PID 2732 wrote to memory of 2872	2732	Epgabhdg.exe	31
PID 2732 wrote to memory of 2872	2732	Epgabhdg.exe	31
PID 2872 wrote to memory of 2320	2872	Enlncdio.exe	32
PID 2872 wrote to memory of 2320	2872	Enlncdio.exe	32
PID 2872 wrote to memory of 2320	2872	Enlncdio.exe	32
PID 2872 wrote to memory of 2320	2872	Enlncdio.exe	32
PID 2320 wrote to memory of 2796	2320	Eamgeo32.exe	33
PID 2320 wrote to memory of 2796	2320	Eamgeo32.exe	33
PID 2320 wrote to memory of 2796	2320	Eamgeo32.exe	33
PID 2320 wrote to memory of 2796	2320	Eamgeo32.exe	33
PID 2796 wrote to memory of 2640	2796	Eapcjo32.exe	34
PID 2796 wrote to memory of 2640	2796	Eapcjo32.exe	34
PID 2796 wrote to memory of 2640	2796	Eapcjo32.exe	34
PID 2796 wrote to memory of 2640	2796	Eapcjo32.exe	34
PID 2640 wrote to memory of 2604	2640	Fpdqlkhe.exe	35
PID 2640 wrote to memory of 2604	2640	Fpdqlkhe.exe	35
PID 2640 wrote to memory of 2604	2640	Fpdqlkhe.exe	35
PID 2640 wrote to memory of 2604	2640	Fpdqlkhe.exe	35
PID 2604 wrote to memory of 2480	2604	Fpgmak32.exe	36
PID 2604 wrote to memory of 2480	2604	Fpgmak32.exe	36
PID 2604 wrote to memory of 2480	2604	Fpgmak32.exe	36
PID 2604 wrote to memory of 2480	2604	Fpgmak32.exe	36
PID 2480 wrote to memory of 2044	2480	Flnnfllf.exe	37
PID 2480 wrote to memory of 2044	2480	Flnnfllf.exe	37
PID 2480 wrote to memory of 2044	2480	Flnnfllf.exe	37
PID 2480 wrote to memory of 2044	2480	Flnnfllf.exe	37
PID 2044 wrote to memory of 2820	2044	Ffeoid32.exe	38
PID 2044 wrote to memory of 2820	2044	Ffeoid32.exe	38
PID 2044 wrote to memory of 2820	2044	Ffeoid32.exe	38
PID 2044 wrote to memory of 2820	2044	Ffeoid32.exe	38
PID 2820 wrote to memory of 2960	2820	Feklja32.exe	39
PID 2820 wrote to memory of 2960	2820	Feklja32.exe	39
PID 2820 wrote to memory of 2960	2820	Feklja32.exe	39
PID 2820 wrote to memory of 2960	2820	Feklja32.exe	39
PID 2960 wrote to memory of 612	2960	Gkgdbh32.exe	40
PID 2960 wrote to memory of 612	2960	Gkgdbh32.exe	40
PID 2960 wrote to memory of 612	2960	Gkgdbh32.exe	40
PID 2960 wrote to memory of 612	2960	Gkgdbh32.exe	40
PID 612 wrote to memory of 1936	612	Gkjahg32.exe	41
PID 612 wrote to memory of 1936	612	Gkjahg32.exe	41
PID 612 wrote to memory of 1936	612	Gkjahg32.exe	41
PID 612 wrote to memory of 1936	612	Gkjahg32.exe	41
PID 1936 wrote to memory of 2192	1936	Gmkjjbhg.exe	42
PID 1936 wrote to memory of 2192	1936	Gmkjjbhg.exe	42
PID 1936 wrote to memory of 2192	1936	Gmkjjbhg.exe	42
PID 1936 wrote to memory of 2192	1936	Gmkjjbhg.exe	42
PID 2192 wrote to memory of 1124	2192	Gmmgobfd.exe	43
PID 2192 wrote to memory of 1124	2192	Gmmgobfd.exe	43
PID 2192 wrote to memory of 1124	2192	Gmmgobfd.exe	43
PID 2192 wrote to memory of 1124	2192	Gmmgobfd.exe	43

C:\Users\Admin\AppData\Local\Temp\dc72a1decd73a4d2817ff2739cddb050N.exe
"C:\Users\Admin\AppData\Local\Temp\dc72a1decd73a4d2817ff2739cddb050N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\Djhldahb.exe
  C:\Windows\system32\Djhldahb.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\SysWOW64\Epgabhdg.exe
    C:\Windows\system32\Epgabhdg.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\SysWOW64\Enlncdio.exe
      C:\Windows\system32\Enlncdio.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\Eamgeo32.exe
        
        C:\Windows\system32\Eamgeo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\SysWOW64\Eapcjo32.exe
        
        C:\Windows\system32\Eapcjo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Fpdqlkhe.exe
        
        C:\Windows\system32\Fpdqlkhe.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Fpgmak32.exe
        
        C:\Windows\system32\Fpgmak32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\Flnnfllf.exe
        
        C:\Windows\system32\Flnnfllf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Ffeoid32.exe
        
        C:\Windows\system32\Ffeoid32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Feklja32.exe
        
        C:\Windows\system32\Feklja32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Gkgdbh32.exe
        
        C:\Windows\system32\Gkgdbh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Gkjahg32.exe
        
        C:\Windows\system32\Gkjahg32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\SysWOW64\Gmkjjbhg.exe
        
        C:\Windows\system32\Gmkjjbhg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Gmmgobfd.exe
        
        C:\Windows\system32\Gmmgobfd.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fpdqlkhe.exe

Filesize
80KB

MD5
16611f7f04231468df4a38cff77dc137

SHA1
71d3fc066c100dc244e9f1fb049c915b7cd5a06d

SHA256
b49fd5d0c973b611b5f1a15fb6ab180359cf02d7923b6f7c844753a475d7eeb1

SHA512
c9de3b2d9e6990b3868776bea234e2a7f1b562d01421dc341fe9ce5b8594e65fad9b605179e0579ad8696c982f7266d11415811c9043d8aba03131d280d752cc

Download Submit
C:\Windows\SysWOW64\Fpgmak32.exe

Filesize
80KB

MD5
00b8c472fb89ea2d4520e75031aae1fb

SHA1
f803ebc333310b8bd22afba010153deb72cca6fc

SHA256
6d598a4a566aff7dc0abe7f2dfa5301b8600199e8e9041a475d0ab879a66147a

SHA512
60517b6feda8e46e3973e8e87a56bffdda8ed169102d860ed94dcb9d4833872a4e1ef186e751c05e53fd93256f1c43fd2b93bb51c28f7f632c96e63537e10d4c

Download Submit
\Windows\SysWOW64\Djhldahb.exe

Filesize
80KB

MD5
d00b265f72ad8ad6fd04a8fe8521b849

SHA1
486768d3e5b8e73388041ed0b4c82712f7e6bc62

SHA256
35acc4b0555a6f436a997cf289bb1be39ef0387879565328d12db0d7c0f2f680

SHA512
da3d33a09de654f6cc802a3ada019936e98d3eec6b14a2fda93e1f06b47407899fe2e8e20e5736109cb6bdaf1da86797267e9d165074a3830a15feb90407b6f8

Download Submit
\Windows\SysWOW64\Eamgeo32.exe

Filesize
80KB

MD5
271b5a4ae39b8cd8bb73fda6058c0d6e

SHA1
c62dc8a9e3a8b3aff2a88744a33ce5f139f71395

SHA256
5c7fdce7acc4bc0a19075b6a65eab3e2658efbdbfb172faa212d3f4cb7d763f5

SHA512
89e0a779dc7b5717bd44efe52b6340046212574520920205d9c812805b11df5589b5ddd2f895828e3494c11fa720d748b7451e609fe5de29aab1f04a4291bad0

Download Submit
\Windows\SysWOW64\Eapcjo32.exe

Filesize
80KB

MD5
40d23f055b6d70225b23704c6b64546b

SHA1
6c0166ec01e5e8920a982dee3281a1fca396dab3

SHA256
72ad92ae25552c793253adb1b057458acef22f989ad9f458111de71d30d44165

SHA512
86c19aa6b7b40828ed28d86ca67a4eb9ba5febca050152db989b9f4d55a089ca0004faba1a84de868efa1c59f8d5939cbaff7eec2fb9a5216de03e7a08ae6e94

Download Submit
\Windows\SysWOW64\Enlncdio.exe

Filesize
80KB

MD5
5af72c3880cf841591f1ce6456fa84b8

SHA1
c32af2a0c7e0b582d4da9a47a70a4e55e31544b7

SHA256
a79b8dbfe6cadc016c96dee79fc9661d4a2a8ef834f7f21df20d5f3c51a38a6a

SHA512
422be270470c6469dbcdeb4bccbe51075b4c420f708e8a5670d48ad3a637b7ca4c5bfe0b7fd7f6781d451b7ae3a902e9208cec5510776dd0973c23717c4e6ed4

Download Submit
\Windows\SysWOW64\Epgabhdg.exe

Filesize
80KB

MD5
8cfa4d541f888e64939cf9bfbd7eb355

SHA1
7e4b048206b802e4f710b99044ed4d82dd1bc1aa

SHA256
f22dcb74faf085dcbbf718363b0f5612c539a4f1d68c60c2f635174103d64113

SHA512
9ecd5f6d876c2a0f5878d5b96f4b3e48c788734cbade942fb4df29ed1bc263e79df8799b694e8add6db8e15eb56ec3157445e4352a34e3b79190488dc357a493

Download Submit
\Windows\SysWOW64\Feklja32.exe

Filesize
80KB

MD5
048f4c197d742f9a62e9dab568e6a8c4

SHA1
afd4053b267268a07bea84d26ef31e2c9d5b54be

SHA256
079ee339951e2bd11303ec3408be12c1f0a4e91346108ea65175f40380d1b9dc

SHA512
a94d3be93df9af7bfaf80a4766c4b0e06fa9025d72df97b65e02cf88bfe7ff1382633ac3434c7729ce04abd29c5952586a88b8318f6e8b6421ed9b95a42baa4d

Download Submit
\Windows\SysWOW64\Ffeoid32.exe

Filesize
80KB

MD5
8a3e3cfa029f7f6cb5fcbbbd9a7cc644

SHA1
782e8d818748441dcf93da741f6f06a8e117c2eb

SHA256
d36b8396a84ccf0140cdf63d64a0ebf654a72effafe84744f33fc54824c45c58

SHA512
74dfb791e4ac5ed93c94fbbe26574577b797e9c14015cf40e84a4fbef43b1f7267f485bc2f427efbdc9c941144402a2be4c308494cda5d1e5bb732bb83e9b6c3

Download Submit
\Windows\SysWOW64\Flnnfllf.exe

Filesize
80KB

MD5
927804b3d39c51f452c1123d24a9bea8

SHA1
21f14a6b19f6432f912fe90d7dc0955383b72a93

SHA256
4a384c321f77231f9c886e7e25686b9038d65807f66bc18a852930b95d3ebb1a

SHA512
6df06c054a092dcca9f87531eb62d6f2f57cd894baa891b61a4c7980be4b0264248c7fa31425e420280810629c36cc86e8323e757a74d96f735ff09291da6ac1

Download Submit
\Windows\SysWOW64\Gkgdbh32.exe

Filesize
80KB

MD5
0707e46ed0f51c942d33670c38deff82

SHA1
a592e0022ec72661575bd9afba07a83e3229aab1

SHA256
397361a7b6c611fb3f9c796ae7f26d866d2790552eeb01b87956514d579c5b60

SHA512
4322bc1a469283afb2d3d184c9256ac71cee74019666d7470bec5461c1c341b4f37f0d746a753ba07019bc9ad95747e2815eade987bc681f6e07090a1bbfdbfc

Download Submit
\Windows\SysWOW64\Gkjahg32.exe

Filesize
80KB

MD5
ab0431dd1465bb781319466647681104

SHA1
31ba86399a08191f726c680d08f96f6053b623ba

SHA256
6dd9711fa50f9951f033faac81bc68fb3f70bee96c2268ad973cbe95a7d4fc16

SHA512
8aea37e40dac302f9ee6d724cb0dc7596e6747837cb5fa74747493596fc7a8afac40d446cc2cac75588087690815794dfe46ca1e9f107bc88d13de5709b511f9

Download Submit
\Windows\SysWOW64\Gmkjjbhg.exe

Filesize
80KB

MD5
dc30b64684602d0f3f2237acc098098a

SHA1
779e5c5a776a981c8e4823fb5ce5e05f2893e537

SHA256
324674395e841432c6279d407a82a4188e183ddcd44131936ed837f297a529dc

SHA512
0201105f7d21f9883a70b1b35fe9c0297ca640491bd86e19c743e3a811872ce93375ab92436599d78989621d02b5546978aba6a8689ef2fbcc99514a88f10f39

Download Submit
\Windows\SysWOW64\Gmmgobfd.exe

Filesize
80KB

MD5
7744640d6310029741a75118d83f1869

SHA1
fad15579a8a9e795b867e16369cff563fad6366f

SHA256
53b9ac256bf80b72c754f9c14a916dc7cfff4f0b003b9d47f9a48e02ff7b3861

SHA512
9211d44dc66efe6bfc595705d790374843c2630ad9371a5b90f7e148e771de43d47c000a29a14d383c26bd92a9d1ad457077edff988b81980b62f9f9a6cdceae

Download Submit
memory/612-204-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-174-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1936-205-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-201-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-122-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-193-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-28-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2172-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2172-21-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2192-187-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2320-196-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-109-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2480-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-7-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2508-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2508-13-0x0000000000440000-0x0000000000475000-memory.dmp

Filesize
212KB

Download
memory/2604-199-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2604-108-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2604-96-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-93-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2640-81-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2640-198-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2732-194-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-197-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-68-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-202-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2820-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-195-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-41-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2872-49-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2960-156-0x0000000000220000-0x0000000000255000-memory.dmp

Filesize
212KB

Download
memory/2960-203-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2960-148-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads