1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89

Analysis

max time kernel
33s
max time network
20s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 19:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Size

76KB
MD5

6655e0285395c51e207c067cf7c48df3
SHA1

155dfc185ae82d513e01320d07153ed692f87378
SHA256

1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89
SHA512

83fb4d83bcc27505e005f7dd9e22aacb53c4f0558f17959f37c066ca32c329ea26eec50b7b22cb37866699e61041ab45629036be8c165022040f40d38fe1648b
SSDEEP

1536:LfQe0cDg+LvGr44AQF3K6OIDlxqv2+KmHioQV+/eCeyvCQ:8eJLvGtA6lxqYmHrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eelfedpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gljdlq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcdihn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eelfedpa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhhkbqea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkidclbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gljdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gegbpe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ifgooikk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ifgooikk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijolbfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fgibijkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkidclbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcdihn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijolbfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fljhmmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fgibijkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fljhmmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hhhkbqea.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fkpeojha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gllabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gllabp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkpeojha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdmcbojl.exe

Executes dropped EXE 14 IoCs

pid	Process
2192	Eelfedpa.exe
1724	Fijolbfh.exe
2324	Fljhmmci.exe
2636	Fkpeojha.exe
2828	Fgibijkb.exe
2740	Gdmcbojl.exe
2124	Gljdlq32.exe
1664	Gllabp32.exe
1732	Gegbpe32.exe
2044	Hhhkbqea.exe
2236	Hkidclbb.exe
1568	Hcdihn32.exe
2068	Ifgooikk.exe
3028	Iqmcmaja.exe

Loads dropped DLL 32 IoCs

pid	Process
2552	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
2552	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
2192	Eelfedpa.exe
2192	Eelfedpa.exe
1724	Fijolbfh.exe
1724	Fijolbfh.exe
2324	Fljhmmci.exe
2324	Fljhmmci.exe
2636	Fkpeojha.exe
2636	Fkpeojha.exe
2828	Fgibijkb.exe
2828	Fgibijkb.exe
2740	Gdmcbojl.exe
2740	Gdmcbojl.exe
2124	Gljdlq32.exe
2124	Gljdlq32.exe
1664	Gllabp32.exe
1664	Gllabp32.exe
1732	Gegbpe32.exe
1732	Gegbpe32.exe
2044	Hhhkbqea.exe
2044	Hhhkbqea.exe
2236	Hkidclbb.exe
2236	Hkidclbb.exe
1568	Hcdihn32.exe
1568	Hcdihn32.exe
2068	Ifgooikk.exe
2068	Ifgooikk.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe
3032	WerFault.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Fljhmmci.exe	Fijolbfh.exe
File opened for modification	C:\Windows\SysWOW64\Fgibijkb.exe	Fkpeojha.exe
File created	C:\Windows\SysWOW64\Pfplmh32.dll	Hhhkbqea.exe
File created	C:\Windows\SysWOW64\Alnfeemk.dll	Gllabp32.exe
File created	C:\Windows\SysWOW64\Hkidclbb.exe	Hhhkbqea.exe
File created	C:\Windows\SysWOW64\Maonll32.dll	Ifgooikk.exe
File created	C:\Windows\SysWOW64\Fijolbfh.exe	Eelfedpa.exe
File created	C:\Windows\SysWOW64\Kgeahmik.dll	Gdmcbojl.exe
File opened for modification	C:\Windows\SysWOW64\Gllabp32.exe	Gljdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Eelfedpa.exe	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
File created	C:\Windows\SysWOW64\Hhhkbqea.exe	Gegbpe32.exe
File created	C:\Windows\SysWOW64\Gechnn32.dll	Gegbpe32.exe
File created	C:\Windows\SysWOW64\Emoghm32.dll	Hkidclbb.exe
File opened for modification	C:\Windows\SysWOW64\Fijolbfh.exe	Eelfedpa.exe
File created	C:\Windows\SysWOW64\Kikakd32.dll	Eelfedpa.exe
File created	C:\Windows\SysWOW64\Gljdlq32.exe	Gdmcbojl.exe
File created	C:\Windows\SysWOW64\Fgibijkb.exe	Fkpeojha.exe
File created	C:\Windows\SysWOW64\Boobcigh.dll	Gljdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Hhhkbqea.exe	Gegbpe32.exe
File created	C:\Windows\SysWOW64\Iqmcmaja.exe	Ifgooikk.exe
File created	C:\Windows\SysWOW64\Oofeeflg.dll	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
File opened for modification	C:\Windows\SysWOW64\Fljhmmci.exe	Fijolbfh.exe
File created	C:\Windows\SysWOW64\Enckek32.dll	Fljhmmci.exe
File created	C:\Windows\SysWOW64\Gllabp32.exe	Gljdlq32.exe
File opened for modification	C:\Windows\SysWOW64\Gegbpe32.exe	Gllabp32.exe
File opened for modification	C:\Windows\SysWOW64\Hkidclbb.exe	Hhhkbqea.exe
File opened for modification	C:\Windows\SysWOW64\Hcdihn32.exe	Hkidclbb.exe
File created	C:\Windows\SysWOW64\Gdmcbojl.exe	Fgibijkb.exe
File opened for modification	C:\Windows\SysWOW64\Gdmcbojl.exe	Fgibijkb.exe
File opened for modification	C:\Windows\SysWOW64\Gljdlq32.exe	Gdmcbojl.exe
File created	C:\Windows\SysWOW64\Fkpeojha.exe	Fljhmmci.exe
File created	C:\Windows\SysWOW64\Lpbmcd32.dll	Fkpeojha.exe
File opened for modification	C:\Windows\SysWOW64\Iqmcmaja.exe	Ifgooikk.exe
File created	C:\Windows\SysWOW64\Pfenml32.dll	Fgibijkb.exe
File created	C:\Windows\SysWOW64\Gegbpe32.exe	Gllabp32.exe
File created	C:\Windows\SysWOW64\Hcdihn32.exe	Hkidclbb.exe
File created	C:\Windows\SysWOW64\Ifgooikk.exe	Hcdihn32.exe
File opened for modification	C:\Windows\SysWOW64\Ifgooikk.exe	Hcdihn32.exe
File created	C:\Windows\SysWOW64\Eelfedpa.exe	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
File created	C:\Windows\SysWOW64\Bealkk32.dll	Fijolbfh.exe
File opened for modification	C:\Windows\SysWOW64\Fkpeojha.exe	Fljhmmci.exe
File created	C:\Windows\SysWOW64\Agednnhp.dll	Hcdihn32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	3028	WerFault.exe	42

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eelfedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkpeojha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fgibijkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gllabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hcdihn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijolbfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gegbpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ifgooikk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkidclbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fljhmmci.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gdmcbojl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gljdlq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hhhkbqea.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijolbfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijolbfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boobcigh.dll"	Gljdlq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gegbpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hhhkbqea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll"	Eelfedpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eelfedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enckek32.dll"	Fljhmmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fgibijkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gljdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gljdlq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gllabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gechnn32.dll"	Gegbpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkidclbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkidclbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agednnhp.dll"	Hcdihn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ifgooikk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emoghm32.dll"	Hkidclbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fgibijkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gegbpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fkpeojha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eelfedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bealkk32.dll"	Fijolbfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fljhmmci.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll"	Ifgooikk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fkpeojha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfenml32.dll"	Fgibijkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdmcbojl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgeahmik.dll"	Gdmcbojl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oofeeflg.dll"	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpbmcd32.dll"	Fkpeojha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfplmh32.dll"	Hhhkbqea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ifgooikk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gllabp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alnfeemk.dll"	Gllabp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hhhkbqea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcdihn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcdihn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fljhmmci.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2192	2552	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe	29
PID 2552 wrote to memory of 2192	2552	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe	29
PID 2552 wrote to memory of 2192	2552	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe	29
PID 2552 wrote to memory of 2192	2552	1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe	29
PID 2192 wrote to memory of 1724	2192	Eelfedpa.exe	30
PID 2192 wrote to memory of 1724	2192	Eelfedpa.exe	30
PID 2192 wrote to memory of 1724	2192	Eelfedpa.exe	30
PID 2192 wrote to memory of 1724	2192	Eelfedpa.exe	30
PID 1724 wrote to memory of 2324	1724	Fijolbfh.exe	31
PID 1724 wrote to memory of 2324	1724	Fijolbfh.exe	31
PID 1724 wrote to memory of 2324	1724	Fijolbfh.exe	31
PID 1724 wrote to memory of 2324	1724	Fijolbfh.exe	31
PID 2324 wrote to memory of 2636	2324	Fljhmmci.exe	32
PID 2324 wrote to memory of 2636	2324	Fljhmmci.exe	32
PID 2324 wrote to memory of 2636	2324	Fljhmmci.exe	32
PID 2324 wrote to memory of 2636	2324	Fljhmmci.exe	32
PID 2636 wrote to memory of 2828	2636	Fkpeojha.exe	33
PID 2636 wrote to memory of 2828	2636	Fkpeojha.exe	33
PID 2636 wrote to memory of 2828	2636	Fkpeojha.exe	33
PID 2636 wrote to memory of 2828	2636	Fkpeojha.exe	33
PID 2828 wrote to memory of 2740	2828	Fgibijkb.exe	34
PID 2828 wrote to memory of 2740	2828	Fgibijkb.exe	34
PID 2828 wrote to memory of 2740	2828	Fgibijkb.exe	34
PID 2828 wrote to memory of 2740	2828	Fgibijkb.exe	34
PID 2740 wrote to memory of 2124	2740	Gdmcbojl.exe	35
PID 2740 wrote to memory of 2124	2740	Gdmcbojl.exe	35
PID 2740 wrote to memory of 2124	2740	Gdmcbojl.exe	35
PID 2740 wrote to memory of 2124	2740	Gdmcbojl.exe	35
PID 2124 wrote to memory of 1664	2124	Gljdlq32.exe	36
PID 2124 wrote to memory of 1664	2124	Gljdlq32.exe	36
PID 2124 wrote to memory of 1664	2124	Gljdlq32.exe	36
PID 2124 wrote to memory of 1664	2124	Gljdlq32.exe	36
PID 1664 wrote to memory of 1732	1664	Gllabp32.exe	37
PID 1664 wrote to memory of 1732	1664	Gllabp32.exe	37
PID 1664 wrote to memory of 1732	1664	Gllabp32.exe	37
PID 1664 wrote to memory of 1732	1664	Gllabp32.exe	37
PID 1732 wrote to memory of 2044	1732	Gegbpe32.exe	38
PID 1732 wrote to memory of 2044	1732	Gegbpe32.exe	38
PID 1732 wrote to memory of 2044	1732	Gegbpe32.exe	38
PID 1732 wrote to memory of 2044	1732	Gegbpe32.exe	38
PID 2044 wrote to memory of 2236	2044	Hhhkbqea.exe	39
PID 2044 wrote to memory of 2236	2044	Hhhkbqea.exe	39
PID 2044 wrote to memory of 2236	2044	Hhhkbqea.exe	39
PID 2044 wrote to memory of 2236	2044	Hhhkbqea.exe	39
PID 2236 wrote to memory of 1568	2236	Hkidclbb.exe	40
PID 2236 wrote to memory of 1568	2236	Hkidclbb.exe	40
PID 2236 wrote to memory of 1568	2236	Hkidclbb.exe	40
PID 2236 wrote to memory of 1568	2236	Hkidclbb.exe	40
PID 1568 wrote to memory of 2068	1568	Hcdihn32.exe	41
PID 1568 wrote to memory of 2068	1568	Hcdihn32.exe	41
PID 1568 wrote to memory of 2068	1568	Hcdihn32.exe	41
PID 1568 wrote to memory of 2068	1568	Hcdihn32.exe	41
PID 2068 wrote to memory of 3028	2068	Ifgooikk.exe	42
PID 2068 wrote to memory of 3028	2068	Ifgooikk.exe	42
PID 2068 wrote to memory of 3028	2068	Ifgooikk.exe	42
PID 2068 wrote to memory of 3028	2068	Ifgooikk.exe	42
PID 3028 wrote to memory of 3032	3028	Iqmcmaja.exe	43
PID 3028 wrote to memory of 3032	3028	Iqmcmaja.exe	43
PID 3028 wrote to memory of 3032	3028	Iqmcmaja.exe	43
PID 3028 wrote to memory of 3032	3028	Iqmcmaja.exe	43

C:\Users\Admin\AppData\Local\Temp\1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe
"C:\Users\Admin\AppData\Local\Temp\1a0d135e8df76c74658a17ad72a80bf0e563175fc868c136a585350304988c89.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\SysWOW64\Eelfedpa.exe
  C:\Windows\system32\Eelfedpa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\Fijolbfh.exe
    C:\Windows\system32\Fijolbfh.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1724
  - - C:\Windows\SysWOW64\Fljhmmci.exe
      C:\Windows\system32\Fljhmmci.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2324
    - - C:\Windows\SysWOW64\Fkpeojha.exe
        
        C:\Windows\system32\Fkpeojha.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\SysWOW64\Fgibijkb.exe
        
        C:\Windows\system32\Fgibijkb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Gdmcbojl.exe
        
        C:\Windows\system32\Gdmcbojl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\SysWOW64\Gljdlq32.exe
        
        C:\Windows\system32\Gljdlq32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Gllabp32.exe
        
        C:\Windows\system32\Gllabp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Gegbpe32.exe
        
        C:\Windows\system32\Gegbpe32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Hhhkbqea.exe
        
        C:\Windows\system32\Hhhkbqea.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Hkidclbb.exe
        
        C:\Windows\system32\Hkidclbb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Hcdihn32.exe
        
        C:\Windows\system32\Hcdihn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Ifgooikk.exe
        
        C:\Windows\system32\Ifgooikk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3028 -s 140
        16⤵
        Loads dropped DLL
        Program crash
        
        PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Gegbpe32.exe

Filesize
76KB

MD5
3766e89d868b38a23727119ad190d634

SHA1
28a7b94388291409e691a9835578b841bea4c014

SHA256
04e79463cfcf1868ad822047418cd5a66905f3cd8d96fa4accff8d68630b807f

SHA512
324a73df5be91e7785a0ee5029bb92c8e0b5e445ca5a9c052eb63ab85a114a0991bea74b7a0d352b4f42c45a553edd75703ddc193dcfd2448f3d99f87ed47637

Download Submit
C:\Windows\SysWOW64\Hkidclbb.exe

Filesize
76KB

MD5
4eba12e4115abeba1b6e2820d3ba1b31

SHA1
66efb40c7fe0262f63d5886b8355c7477b1e8f40

SHA256
b1e8c644d3cf07a77b5600bc774e49d6b4b62eee68c8a92d43867bd8735912a8

SHA512
3782adec7f3c9ebda423917fb9d9bc4ec1a3b2b3db7dc013511c207b125ce8504eb70024cc82d42a92b7d90b238923807ab3771c2169296b8b16049a519b51a1

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
76KB

MD5
ec68dee4767be4a85087fc9e43c086d5

SHA1
56de8e301337cc617c0d826676ecf8d24e04a94b

SHA256
61efc3c76655903f7c359d44c2430250c62beaeb1bf016de14263fe0dcf43f54

SHA512
95b1e5a64c8f80017f47a34941df62257e04fae5cdc91e6ad5668886003dcfdd692e5ffd05334a1e2fd7b169701e39389909924909118fa2da10fc85dc1b0d20

Download Submit
\Windows\SysWOW64\Eelfedpa.exe

Filesize
76KB

MD5
cafd5e44e0e369d578bcc868bad0a29a

SHA1
df324470051f9847bf903c70921d47030724996f

SHA256
36dcb447412101b28c1cbb5778a58c9e85b2cead6d1fa062cec6f0165b8d63b5

SHA512
62dd41d1467d999f317efb226313ceda6274eda1e5ac00553b1cc34765b68f75952805cdc6bfc352dc87c5a5b631031fe0a5dede32a925591075c27824f2e1e2

Download Submit
\Windows\SysWOW64\Fgibijkb.exe

Filesize
76KB

MD5
60f9075827c4fd530619d06714181248

SHA1
68362971042eb239a1ca94b7c5b13b4f06bbd8e2

SHA256
079a6949d3205acd5f028ade9a25cb87c1d62c3a671ae7ec7beef2a50f9001f7

SHA512
cdcbd53810b291c87bd8d3246f699f62d11ba0f722fe60b087ad3f3e1c596d720c77c1aeba80b2e5a89ce42134184e4ad79931bf731fe555096b176e49cf6c8c

Download Submit
\Windows\SysWOW64\Fijolbfh.exe

Filesize
76KB

MD5
40bac59cc5666e0b64b0c0ba9c283e8a

SHA1
33b0fe9a5fdb755a2935463f9f0b0c2bae963ffa

SHA256
728ac86ef90fd3fd7a4c2b146dd31eb7bd1c08b6c6339ce7de554c8424e94e02

SHA512
c00a1aebd8d974b181b97dbbbfc951fae0277576414d476fc3038c1e4d341c6adb42fa4bd326f30c95b9653e151f6a3aa759d3de83ea51a2d82af9d0dca7f5d2

Download Submit
\Windows\SysWOW64\Fkpeojha.exe

Filesize
76KB

MD5
c206bd3a1627be490e4d061ce108aee2

SHA1
b4674c2506c4d27dd03b0ae76ecb61d2aef91ce7

SHA256
0d8e52e49d0a52960325a37468f921b0548a9fdf44dfdf427f8808dbe1160842

SHA512
72460b8a2df186a198f84cd8cfbaf68122c36ca630e1ab2e82c801c7bbd8f08b71b688a75163d0c4f4f82c1ed77740f93e66fecb31a934cf119d64b64fbc5033

Download Submit
\Windows\SysWOW64\Fljhmmci.exe

Filesize
76KB

MD5
71a45a78d32cb966f956724f25c38065

SHA1
cd8bfd1968c82d14144c03fae23eafc06ee6e659

SHA256
cb253a664312eb861727e850280b1c7ca8aaa78b1eaf2dbaa280fd3f3396733e

SHA512
49c3ce1581b7682f3ee4273db02a18d49b21accac821560b509d44de7fe56c7f3d8e8280f5765d42ab0a9abb81acb3ea438906c9add8296a66ba52f0af6a9209

Download Submit
\Windows\SysWOW64\Gdmcbojl.exe

Filesize
76KB

MD5
17b2bdf1b03dfb74dd55a9899560dc9c

SHA1
59e26576b793a58692ab01f6fa038df335420649

SHA256
91176bf45c0d8a7be9cd3eddc7d3a8e757dbb68a8adc42fac8eaf28a0ea0046b

SHA512
997c35c10b4f47c865b4be27740fa44707b73af96d0072c074778a89a133a58af3cd6d2b832d159e6350240404f12ae53fadd06ce1b3b2ea00ea786bc7701718

Download Submit
\Windows\SysWOW64\Gljdlq32.exe

Filesize
76KB

MD5
5ccdcc925fa0436f38c93129b75f3a53

SHA1
42154885a834fd460a9ad53dc177a54e2952e287

SHA256
b6a54772b11fcaac653758f49dd907b1e8c8bbda05df7ccb730f12cc59997b6c

SHA512
72f9ed65dc29972c04163ff8b8ba43491e262aea9c946666c23a89811b848a41c53de62c86e63dfbfc8a497be7c051e15e602e4bca53cbb1441ea8b7f312aa81

Download Submit
\Windows\SysWOW64\Gllabp32.exe

Filesize
76KB

MD5
031643e5d567849e54b2f860b9713b43

SHA1
d1396f9678da19a848b0e0e1a218d7f51312d833

SHA256
6ef2d927f6829fe4823f81d81c28efeef9dd8b05c2e8169026ef0c0fdfacee4a

SHA512
04273409745a9805d52a21663b54e575427060e94c790faadf2b9147e9808e99025779d7532b3cf0b94b3e85c4e6a9fa96962b877f83ad5171f09f084a395228

Download Submit
\Windows\SysWOW64\Hcdihn32.exe

Filesize
76KB

MD5
e8091e4a4ca52b62a53282016b8194e4

SHA1
7c9022398e9550bb16e5f0a6cf4bef838d1647bc

SHA256
2d5f5487d9d85011803f07b0cdc025af16fe3c5bc4a4441deedc07d51fc957fe

SHA512
6028712a0dc232aed813428cb77df6122defabcfea58f7f439975ebbea9e07927ddc98834f80ad90bb99175e8c474028847bc46d1dc51b814d65812d35cd3d84

Download Submit
\Windows\SysWOW64\Hhhkbqea.exe

Filesize
76KB

MD5
4de31c2c4243a84a3b321adaf4607b51

SHA1
6e0db15e1fa50a317cd653122f92a159cf3fecac

SHA256
bd882514546015dc7e49328de251cbe54a500b7018c89e271a8325b6f4b03414

SHA512
666aebacb314a10de9e624b712ea7ba2f25006d4a5a49e7a803c5ba0ccff8ebe4de9c784ef301867a7fadc996b04d1065cbe887317705097d7d6d092f94152a3

Download Submit
\Windows\SysWOW64\Ifgooikk.exe

Filesize
76KB

MD5
e5ab23594c8135b4a5c3567834670962

SHA1
201baf874822db091f8fbb61052df4e9a395de3f

SHA256
a49746b3d4b35b31885a6c8cac574d62732d08ccd7021d9fac1a30e31dfdd244

SHA512
1f8de63f9cf051421b9af91308477717b6a4e7344fa4c9761c6ec60925a7adab014e8da00bbc07ca43514b6e2c4cfb5b784f7099ae09b40cd3f024b171218f56

Download Submit
memory/1568-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-191-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1568-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-192-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1568-218-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1664-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1664-177-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1664-128-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1664-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-27-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-35-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1732-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-143-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/1732-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-160-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2044-158-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2044-213-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2044-194-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2068-220-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2068-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2124-159-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2124-112-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2124-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-62-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-215-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2236-216-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2236-175-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2324-92-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-12-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2552-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-52-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2552-11-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2636-111-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-54-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2636-65-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2636-114-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2636-68-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2740-138-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2740-93-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2740-84-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2828-82-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2828-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3028-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads