e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5

Analysis

max time kernel
142s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Size

465KB
MD5

7709ac0b1ab7fe83dd9fd8bd9a084032
SHA1

dd2163e85964683b70a826c3d2a0dbf855a6a447
SHA256

e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5
SHA512

9399fd1831e32956e8249d10164002ced783b044a4b224def7765fb06b25f4d5de782832285abbab81e6c5406fa5ec6f71a1637e5faad4e3b35a6ef88585c94d
SSDEEP

6144:YtPqdwxYXqOILKpn/a5/VF5V4lKjIbvBhRJfzSf9x7N/I7b9M:YAwrO8S/WNLKlUmpRe94a

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Hcifgjgc.exeIeqeidnl.exeHobcak32.exeHcplhi32.exeFhkpmjln.exeGloblmmj.exeGaemjbcg.exeHahjpbad.exeHogmmjfo.exeIhoafpmp.exeGaqcoc32.exeGbkgnfbd.exeHckcmjep.exeHlcgeo32.exeHjhhocjj.exeGhhofmql.exeGkihhhnm.exee09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exeGdopkn32.exeHlakpp32.exeIlknfn32.exeFbdqmghm.exeHknach32.exeFmhheqje.exeFaagpp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fhkpmjln.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hcplhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjhhocjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghhofmql.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ihoafpmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Faagpp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fmhheqje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gaqcoc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hknach32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hlakpp32.exe

Executes dropped EXE 25 IoCs

Processes:

Faagpp32.exeFhkpmjln.exeFmhheqje.exeFbdqmghm.exeGloblmmj.exeGbkgnfbd.exeGhhofmql.exeGaqcoc32.exeGdopkn32.exeGkihhhnm.exeGaemjbcg.exeHknach32.exeHahjpbad.exeHcifgjgc.exeHlakpp32.exeHckcmjep.exeHlcgeo32.exeHobcak32.exeHjhhocjj.exeHcplhi32.exeHogmmjfo.exeIeqeidnl.exeIhoafpmp.exeIlknfn32.exeIagfoe32.exe

pid	process
1904	Faagpp32.exe
2560	Fhkpmjln.exe
2704	Fmhheqje.exe
2568	Fbdqmghm.exe
1908	Globlmmj.exe
2572	Gbkgnfbd.exe
292	Ghhofmql.exe
1404	Gaqcoc32.exe
1728	Gdopkn32.exe
1716	Gkihhhnm.exe
1828	Gaemjbcg.exe
536	Hknach32.exe
2428	Hahjpbad.exe
1216	Hcifgjgc.exe
2268	Hlakpp32.exe
2236	Hckcmjep.exe
988	Hlcgeo32.exe
1440	Hobcak32.exe
1708	Hjhhocjj.exe
1780	Hcplhi32.exe
544	Hogmmjfo.exe
3028	Ieqeidnl.exe
2008	Ihoafpmp.exe
3068	Ilknfn32.exe
1412	Iagfoe32.exe

Loads dropped DLL 54 IoCs

Processes:

e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exeFaagpp32.exeFhkpmjln.exeFmhheqje.exeFbdqmghm.exeGloblmmj.exeGbkgnfbd.exeGhhofmql.exeGaqcoc32.exeGdopkn32.exeGkihhhnm.exeGaemjbcg.exeHknach32.exeHahjpbad.exeHcifgjgc.exeHlakpp32.exeHckcmjep.exeHlcgeo32.exeHobcak32.exeHjhhocjj.exeHcplhi32.exeHogmmjfo.exeIeqeidnl.exeIhoafpmp.exeIlknfn32.exeWerFault.exe

pid	process
2072	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
2072	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
1904	Faagpp32.exe
1904	Faagpp32.exe
2560	Fhkpmjln.exe
2560	Fhkpmjln.exe
2704	Fmhheqje.exe
2704	Fmhheqje.exe
2568	Fbdqmghm.exe
2568	Fbdqmghm.exe
1908	Globlmmj.exe
1908	Globlmmj.exe
2572	Gbkgnfbd.exe
2572	Gbkgnfbd.exe
292	Ghhofmql.exe
292	Ghhofmql.exe
1404	Gaqcoc32.exe
1404	Gaqcoc32.exe
1728	Gdopkn32.exe
1728	Gdopkn32.exe
1716	Gkihhhnm.exe
1716	Gkihhhnm.exe
1828	Gaemjbcg.exe
1828	Gaemjbcg.exe
536	Hknach32.exe
536	Hknach32.exe
2428	Hahjpbad.exe
2428	Hahjpbad.exe
1216	Hcifgjgc.exe
1216	Hcifgjgc.exe
2268	Hlakpp32.exe
2268	Hlakpp32.exe
2236	Hckcmjep.exe
2236	Hckcmjep.exe
988	Hlcgeo32.exe
988	Hlcgeo32.exe
1440	Hobcak32.exe
1440	Hobcak32.exe
1708	Hjhhocjj.exe
1708	Hjhhocjj.exe
1780	Hcplhi32.exe
1780	Hcplhi32.exe
544	Hogmmjfo.exe
544	Hogmmjfo.exe
3028	Ieqeidnl.exe
3028	Ieqeidnl.exe
2008	Ihoafpmp.exe
2008	Ihoafpmp.exe
3068	Ilknfn32.exe
3068	Ilknfn32.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe
1996	WerFault.exe

Drops file in System32 directory 64 IoCs

Processes:

Fmhheqje.exeGbkgnfbd.exeHcifgjgc.exeIeqeidnl.exeFhkpmjln.exeHahjpbad.exeHckcmjep.exeHlcgeo32.exee09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exeGhhofmql.exeGaemjbcg.exeHknach32.exeHjhhocjj.exeHcplhi32.exeHogmmjfo.exeFaagpp32.exeGdopkn32.exeHlakpp32.exeFbdqmghm.exeGloblmmj.exeIhoafpmp.exeIlknfn32.exeGaqcoc32.exeGkihhhnm.exeHobcak32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Clphjpmh.dll	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Ghhofmql.exe	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Anllbdkl.dll	Hcifgjgc.exe
File opened for modification	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Fealjk32.dll	Hahjpbad.exe
File opened for modification	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Nokeef32.dll	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Faagpp32.exe	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
File created	C:\Windows\SysWOW64\Fndldonj.dll	Ghhofmql.exe
File created	C:\Windows\SysWOW64\Hknach32.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hknach32.exe	Gaemjbcg.exe
File opened for modification	C:\Windows\SysWOW64\Hahjpbad.exe	Hknach32.exe
File created	C:\Windows\SysWOW64\Njmekj32.dll	Hknach32.exe
File created	C:\Windows\SysWOW64\Hcifgjgc.exe	Hahjpbad.exe
File created	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ojhcelga.dll	Hcplhi32.exe
File created	C:\Windows\SysWOW64\Ghhofmql.exe	Gbkgnfbd.exe
File opened for modification	C:\Windows\SysWOW64\Hlakpp32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Hogmmjfo.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Hogmmjfo.exe	Hcplhi32.exe
File opened for modification	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File opened for modification	C:\Windows\SysWOW64\Fhkpmjln.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Jeccgbbh.dll	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Ahcocb32.dll	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hlakpp32.exe	Hcifgjgc.exe
File created	C:\Windows\SysWOW64\Cabknqko.dll	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Lponfjoo.dll	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Ieqeidnl.exe	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Hpqpdnop.dll	Fbdqmghm.exe
File opened for modification	C:\Windows\SysWOW64\Gbkgnfbd.exe	Globlmmj.exe
File opened for modification	C:\Windows\SysWOW64\Hobcak32.exe	Hlcgeo32.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Ihoafpmp.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Lgahch32.dll	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
File created	C:\Windows\SysWOW64\Fmhheqje.exe	Fhkpmjln.exe
File created	C:\Windows\SysWOW64\Globlmmj.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Ahpjhc32.dll	Gbkgnfbd.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gaqcoc32.exe
File opened for modification	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Hlcgeo32.exe	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Fmhheqje.exe
File opened for modification	C:\Windows\SysWOW64\Gkihhhnm.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Hcplhi32.exe	Hjhhocjj.exe
File created	C:\Windows\SysWOW64\Amammd32.dll	Ieqeidnl.exe
File opened for modification	C:\Windows\SysWOW64\Globlmmj.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Nfmjcmjd.dll	Hogmmjfo.exe
File created	C:\Windows\SysWOW64\Gbkgnfbd.exe	Globlmmj.exe
File created	C:\Windows\SysWOW64\Gaqcoc32.exe	Ghhofmql.exe
File opened for modification	C:\Windows\SysWOW64\Hjhhocjj.exe	Hobcak32.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ikkbnm32.dll	Faagpp32.exe
File opened for modification	C:\Windows\SysWOW64\Hckcmjep.exe	Hlakpp32.exe
File created	C:\Windows\SysWOW64\Faagpp32.exe	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
File created	C:\Windows\SysWOW64\Fhkpmjln.exe	Faagpp32.exe
File created	C:\Windows\SysWOW64\Gaemjbcg.exe	Gkihhhnm.exe
File created	C:\Windows\SysWOW64\Kjnifgah.dll	Hckcmjep.exe
File created	C:\Windows\SysWOW64\Ihoafpmp.exe	Ieqeidnl.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Ihoafpmp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

1996 1412 WerFault.exe

pid	pid_target	process
1996	1412	WerFault.exe

Modifies registry class 64 IoCs

Processes:

Gdopkn32.exeHlakpp32.exeIlknfn32.exeFmhheqje.exeFbdqmghm.exeGloblmmj.exeGaqcoc32.exeGaemjbcg.exeHogmmjfo.exeGbkgnfbd.exeGkihhhnm.exeHckcmjep.exeHlcgeo32.exee09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exeHcifgjgc.exeHobcak32.exeHjhhocjj.exeIeqeidnl.exeHknach32.exeHahjpbad.exeFhkpmjln.exeGhhofmql.exeHcplhi32.exeFaagpp32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaemjbcg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hogmmjfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hckcmjep.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokeef32.dll"	Hlcgeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahch32.dll"	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahefm32.dll"	Globlmmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllbdkl.dll"	Hcifgjgc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lponfjoo.dll"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amammd32.dll"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpqpdnop.dll"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpajnpao.dll"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hahjpbad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmekj32.dll"	Hknach32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ieqeidnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Globlmmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gkihhhnm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcaciakh.dll"	Gkihhhnm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahpjhc32.dll"	Gbkgnfbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fndldonj.dll"	Ghhofmql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hcplhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlakpp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hckcmjep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmjcmjd.dll"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeccgbbh.dll"	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabknqko.dll"	Hlakpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hlcgeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenhecef.dll"	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hogmmjfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikkbnm32.dll"	Faagpp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaemjbcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fealjk32.dll"	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hobcak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ieqeidnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fhkpmjln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hknach32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjhhocjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fmhheqje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gaqcoc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hahjpbad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hcplhi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2072 wrote to memory of 1904	2072	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe	Faagpp32.exe
PID 2072 wrote to memory of 1904	2072	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe	Faagpp32.exe
PID 2072 wrote to memory of 1904	2072	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe	Faagpp32.exe
PID 2072 wrote to memory of 1904	2072	e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe	Faagpp32.exe
PID 1904 wrote to memory of 2560	1904	Faagpp32.exe	Fhkpmjln.exe
PID 1904 wrote to memory of 2560	1904	Faagpp32.exe	Fhkpmjln.exe
PID 1904 wrote to memory of 2560	1904	Faagpp32.exe	Fhkpmjln.exe
PID 1904 wrote to memory of 2560	1904	Faagpp32.exe	Fhkpmjln.exe
PID 2560 wrote to memory of 2704	2560	Fhkpmjln.exe	Fmhheqje.exe
PID 2560 wrote to memory of 2704	2560	Fhkpmjln.exe	Fmhheqje.exe
PID 2560 wrote to memory of 2704	2560	Fhkpmjln.exe	Fmhheqje.exe
PID 2560 wrote to memory of 2704	2560	Fhkpmjln.exe	Fmhheqje.exe
PID 2704 wrote to memory of 2568	2704	Fmhheqje.exe	Fbdqmghm.exe
PID 2704 wrote to memory of 2568	2704	Fmhheqje.exe	Fbdqmghm.exe
PID 2704 wrote to memory of 2568	2704	Fmhheqje.exe	Fbdqmghm.exe
PID 2704 wrote to memory of 2568	2704	Fmhheqje.exe	Fbdqmghm.exe
PID 2568 wrote to memory of 1908	2568	Fbdqmghm.exe	Globlmmj.exe
PID 2568 wrote to memory of 1908	2568	Fbdqmghm.exe	Globlmmj.exe
PID 2568 wrote to memory of 1908	2568	Fbdqmghm.exe	Globlmmj.exe
PID 2568 wrote to memory of 1908	2568	Fbdqmghm.exe	Globlmmj.exe
PID 1908 wrote to memory of 2572	1908	Globlmmj.exe	Gbkgnfbd.exe
PID 1908 wrote to memory of 2572	1908	Globlmmj.exe	Gbkgnfbd.exe
PID 1908 wrote to memory of 2572	1908	Globlmmj.exe	Gbkgnfbd.exe
PID 1908 wrote to memory of 2572	1908	Globlmmj.exe	Gbkgnfbd.exe
PID 2572 wrote to memory of 292	2572	Gbkgnfbd.exe	Ghhofmql.exe
PID 2572 wrote to memory of 292	2572	Gbkgnfbd.exe	Ghhofmql.exe
PID 2572 wrote to memory of 292	2572	Gbkgnfbd.exe	Ghhofmql.exe
PID 2572 wrote to memory of 292	2572	Gbkgnfbd.exe	Ghhofmql.exe
PID 292 wrote to memory of 1404	292	Ghhofmql.exe	Gaqcoc32.exe
PID 292 wrote to memory of 1404	292	Ghhofmql.exe	Gaqcoc32.exe
PID 292 wrote to memory of 1404	292	Ghhofmql.exe	Gaqcoc32.exe
PID 292 wrote to memory of 1404	292	Ghhofmql.exe	Gaqcoc32.exe
PID 1404 wrote to memory of 1728	1404	Gaqcoc32.exe	Gdopkn32.exe
PID 1404 wrote to memory of 1728	1404	Gaqcoc32.exe	Gdopkn32.exe
PID 1404 wrote to memory of 1728	1404	Gaqcoc32.exe	Gdopkn32.exe
PID 1404 wrote to memory of 1728	1404	Gaqcoc32.exe	Gdopkn32.exe
PID 1728 wrote to memory of 1716	1728	Gdopkn32.exe	Gkihhhnm.exe
PID 1728 wrote to memory of 1716	1728	Gdopkn32.exe	Gkihhhnm.exe
PID 1728 wrote to memory of 1716	1728	Gdopkn32.exe	Gkihhhnm.exe
PID 1728 wrote to memory of 1716	1728	Gdopkn32.exe	Gkihhhnm.exe
PID 1716 wrote to memory of 1828	1716	Gkihhhnm.exe	Gaemjbcg.exe
PID 1716 wrote to memory of 1828	1716	Gkihhhnm.exe	Gaemjbcg.exe
PID 1716 wrote to memory of 1828	1716	Gkihhhnm.exe	Gaemjbcg.exe
PID 1716 wrote to memory of 1828	1716	Gkihhhnm.exe	Gaemjbcg.exe
PID 1828 wrote to memory of 536	1828	Gaemjbcg.exe	Hknach32.exe
PID 1828 wrote to memory of 536	1828	Gaemjbcg.exe	Hknach32.exe
PID 1828 wrote to memory of 536	1828	Gaemjbcg.exe	Hknach32.exe
PID 1828 wrote to memory of 536	1828	Gaemjbcg.exe	Hknach32.exe
PID 536 wrote to memory of 2428	536	Hknach32.exe	Hahjpbad.exe
PID 536 wrote to memory of 2428	536	Hknach32.exe	Hahjpbad.exe
PID 536 wrote to memory of 2428	536	Hknach32.exe	Hahjpbad.exe
PID 536 wrote to memory of 2428	536	Hknach32.exe	Hahjpbad.exe
PID 2428 wrote to memory of 1216	2428	Hahjpbad.exe	Hcifgjgc.exe
PID 2428 wrote to memory of 1216	2428	Hahjpbad.exe	Hcifgjgc.exe
PID 2428 wrote to memory of 1216	2428	Hahjpbad.exe	Hcifgjgc.exe
PID 2428 wrote to memory of 1216	2428	Hahjpbad.exe	Hcifgjgc.exe
PID 1216 wrote to memory of 2268	1216	Hcifgjgc.exe	Hlakpp32.exe
PID 1216 wrote to memory of 2268	1216	Hcifgjgc.exe	Hlakpp32.exe
PID 1216 wrote to memory of 2268	1216	Hcifgjgc.exe	Hlakpp32.exe
PID 1216 wrote to memory of 2268	1216	Hcifgjgc.exe	Hlakpp32.exe
PID 2268 wrote to memory of 2236	2268	Hlakpp32.exe	Hckcmjep.exe
PID 2268 wrote to memory of 2236	2268	Hlakpp32.exe	Hckcmjep.exe
PID 2268 wrote to memory of 2236	2268	Hlakpp32.exe	Hckcmjep.exe
PID 2268 wrote to memory of 2236	2268	Hlakpp32.exe	Hckcmjep.exe

C:\Users\Admin\AppData\Local\Temp\e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe
"C:\Users\Admin\AppData\Local\Temp\e09ef84ff2e7f49bcb6baa2c0a65538811956b58b13a8a06cc501f7816194eb5.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\SysWOW64\Faagpp32.exe
C:\Windows\system32\Faagpp32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\Fhkpmjln.exe
C:\Windows\system32\Fhkpmjln.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2560

C:\Windows\SysWOW64\Fmhheqje.exe
C:\Windows\system32\Fmhheqje.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\SysWOW64\Globlmmj.exe
C:\Windows\system32\Globlmmj.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\Gbkgnfbd.exe
C:\Windows\system32\Gbkgnfbd.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\Ghhofmql.exe
C:\Windows\system32\Ghhofmql.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\Gaqcoc32.exe
C:\Windows\system32\Gaqcoc32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\Gdopkn32.exe
C:\Windows\system32\Gdopkn32.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\Gkihhhnm.exe
C:\Windows\system32\Gkihhhnm.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\Gaemjbcg.exe
C:\Windows\system32\Gaemjbcg.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\Hknach32.exe
C:\Windows\system32\Hknach32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:536

C:\Windows\SysWOW64\Hahjpbad.exe
C:\Windows\system32\Hahjpbad.exe
14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\Hcifgjgc.exe
C:\Windows\system32\Hcifgjgc.exe
15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\Hlakpp32.exe
C:\Windows\system32\Hlakpp32.exe
16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2268

C:\Windows\SysWOW64\Hckcmjep.exe
C:\Windows\system32\Hckcmjep.exe
17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2236

C:\Windows\SysWOW64\Hlcgeo32.exe
C:\Windows\system32\Hlcgeo32.exe
18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:988

C:\Windows\SysWOW64\Hobcak32.exe
C:\Windows\system32\Hobcak32.exe
19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1440

C:\Windows\SysWOW64\Hjhhocjj.exe
C:\Windows\system32\Hjhhocjj.exe
20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1708

C:\Windows\SysWOW64\Hcplhi32.exe
C:\Windows\system32\Hcplhi32.exe
21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1780

C:\Windows\SysWOW64\Hogmmjfo.exe
C:\Windows\system32\Hogmmjfo.exe
22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:544

C:\Windows\SysWOW64\Ieqeidnl.exe
C:\Windows\system32\Ieqeidnl.exe
23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3028

C:\Windows\SysWOW64\Ihoafpmp.exe
C:\Windows\system32\Ihoafpmp.exe
24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008

C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
26⤵
- Executes dropped EXE
PID:1412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 140
27⤵
- Loads dropped DLL
- Program crash
PID:1996

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Faagpp32.exe
Filesize
465KB

MD5
c5b7b520560b85b89eb7a340574803a0

SHA1
23e42f3140b5e6c1c27643029dea31fb14fb098a

SHA256
0da736f305b5a5c28fc84206fd1bc76d5febfb0ac27eb8a6d7ffcc5138085e04

SHA512
cf5d3688ff1f08cfdd0199bb2fb6fd36d11045651c93c5c76f3a632ec27bd7164f036bf17142e57d2339f9bc8232a6681dd2164270907b146c9d903d75f3fee2

Download Submit
C:\Windows\SysWOW64\Fhkpmjln.exe
Filesize
465KB

MD5
e166f6abcb6c98ae68639f6ec2336357

SHA1
27e563f800008c0968e115df9cc435fd24392d8f

SHA256
94f8040778030952ac782c8d6c274bb57e99cb4651750d69e6de4dd0ff559bc0

SHA512
e8adbdc1c5d05886ecb1c54603345a722d135b5fba2de1d85c0b8dd058df77bcbb43258726f222847fb7387f5a7dd954976208715b529f8deaf0bcd6a0168ebb

Download Submit
C:\Windows\SysWOW64\Fmhheqje.exe
Filesize
465KB

MD5
bce0d1a1d987b9b655735d0ff5cec787

SHA1
f2146d75e3575bd7f5dfb083f6d9d79a4e682e98

SHA256
d789b9615eee82ddac7f5f03a82ad46a1d5db64053fff1516cb8908fc0aa59b7

SHA512
b7f968a9b80573451851f5cc7b8c55cece0e0c276cf938b3e9dca02d4f920784e3dbecc3e91d45943656587aa97d2230bdac757ff76eb53ed51fe7c38b331301

Download Submit
C:\Windows\SysWOW64\Gaemjbcg.exe
Filesize
465KB

MD5
b0e550bd8ababfa402f003cde234542f

SHA1
614a8a85ab2ae33994e8b34ac5f554b3fb3c393c

SHA256
f294f668dcc54a79d5596de90e962bcd2f7b5edcfdbecaa612ab3afda04ed036

SHA512
241b0fd173881d0091ea17b1bacd48f4e77609e97a76870719cecba40ce85d3705ab9e2ef145006f5a87b626d6f90be986e456508e52905bc4ad1eebb2023cfa

Download Submit
C:\Windows\SysWOW64\Gaqcoc32.exe
Filesize
465KB

MD5
670e7040f0dc3b795aaa660a3db992fd

SHA1
ec76753dac395c3edc486e29e175df27d9cbd9fa

SHA256
391681f7a2a906bc5ee732443c97e9cfcaba90924f0b9cfd068174865b9e1823

SHA512
5712db9908f9a1debe5849f1105f21ed41bdda544124d2ebdf3b0f9fc17a818b612a6a9fb7045c66b73287c01e8fec03f782d42fca9f61160e7021db7dbd7709

Download Submit
C:\Windows\SysWOW64\Gbkgnfbd.exe
Filesize
465KB

MD5
5200a1691be477a8bf137ce3ccb46d7f

SHA1
69fa146937c8acc04268ca8a3b4f664b24beebeb

SHA256
8b7b62ea5d5e5b2eac81a1c999c851bd7f01d919758c5d240278ebd2ba3f0548

SHA512
97f96d2d7aed4424ed877d5b5e4902807db64d2ee6d1e22f441698f8c0839fe23a3ff09254a90735de016e134f8d5b555b5cbda8b81118aa6316a0ef0077f068

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe
Filesize
465KB

MD5
323947abdfdc8b7db807a95c7d99e559

SHA1
bb49560776d58d2cf42fd5f31a6c371a40f95838

SHA256
28173acb2a17cce53677d9c913d82833f11809f0c8e00e2c805818dd75c8691a

SHA512
3622a1ce84088cf08518b8308ac84d0e3116be924be7b4fe0a6f1abd765ef1397b7ad4a77aa017a916ea860ff249d44b5e37ea93b53e8335a2d066d7825dfae5

Download Submit
C:\Windows\SysWOW64\Gkihhhnm.exe
Filesize
465KB

MD5
d997b45bf417228f16552f5bd288cc86

SHA1
e20bd842ad17b46b35a0033ce4a9f1d0627f4f7a

SHA256
639869a04f98b0e347546fa4fe8db13c6f2918218b52ff8dd76f83c45afade1d

SHA512
bc354ae931862f1903448c6fb5c7646c2d5999cebb2cca8a8fcc3ddb9dffb14af746e0832c6997a846ea843f04ef0069b1afe835545b5e1240c3b4b780348857

Download Submit
C:\Windows\SysWOW64\Globlmmj.exe
Filesize
465KB

MD5
b9bb52ac7c589edd284609671ca9f7be

SHA1
0904b5dcb1844c7ac4c607271d3cecb89fcd6898

SHA256
aaca954c1c201171e61fa6d9ee4f48ec79ebc7eb187acb62e304fd051ad57985

SHA512
b3c20df9dc83c8be162171874dff9bb9ecc10df88bd32572fedcf144d445bd5942ef35dae211f8c88a6d5c1291122eacbfbded9c912ddf52df782bd7d31afb4e

Download Submit
C:\Windows\SysWOW64\Hahjpbad.exe
Filesize
465KB

MD5
c605fd58752db7e448350e287951c364

SHA1
ed718f0cde8a0bc9970f1405500252acaceff20a

SHA256
e30c0c553c8b0eb47669ccbfe94815483f2ab46fc2a81282f32a424dfdea6590

SHA512
a47a7faaa5235c942768e4cd6396e24be3e08b02b645c56882260eb19b972c4d5c21ecf616166f2db2fa569715c8f9b689f043e0ba23c8f305b22085aa008e14

Download Submit
C:\Windows\SysWOW64\Hcifgjgc.exe
Filesize
465KB

MD5
8bc9aeb1669e04ef72bf94a76ab3b685

SHA1
904a216cf90c61abaf9b489b427ffafdb4d8fb47

SHA256
3dcd38fca230e90d039b4cc06ed1d34ff5449e19a5ba978eca199e7bd4cc4d72

SHA512
ede266fa9ea1efd291febb026df77aac94448f87b6478a1568ca8f6f65a105fa625c564a42023fd65eb1c6a3fa861ea982e8b570762389a7337e63dd87c934c0

Download Submit
C:\Windows\SysWOW64\Hcplhi32.exe
Filesize
465KB

MD5
847e0c901ff78d522ada69b57ed4c397

SHA1
e68958ffb70f45f734cfad5508248a6d98883bd1

SHA256
abbff089fabc9cafc5520d7c0f3e4a414775dcc38907c31271669cac324173ac

SHA512
2ade659d2680b89e7e4bc8d83afd4d7d45c1aff3ab534921d04d7703b6b9e4c231906b48588fc52e91ce1adf0f49210715bac9e874361e344859168df23179b4

Download Submit
C:\Windows\SysWOW64\Hjhhocjj.exe
Filesize
465KB

MD5
acfbfc05e6087279af21442c423047a8

SHA1
a817b65917bf3f583278bdce7d14d4c1737dcd66

SHA256
c01c4331878077bf1a2a1a40d7c9cbde35087a4f783a63d452bf4a3386e98f4b

SHA512
1200513f8893a023eb424134878350d65d2a993ed7ad8b27307c1f064db73a57f4a2d752655ed53231b6c446ceaf0b921b6b0ee6234c4781c49f5d1221f0be96

Download Submit
C:\Windows\SysWOW64\Hknach32.exe
Filesize
465KB

MD5
6e467ee08b120fe237112fba54d11e2c

SHA1
c064efc2150dc7404e607ed7075ab156e761e6c6

SHA256
d5ac5583d932aab7f5de1d07ca9bec028bf89cce45560dd9dcf64526de39ebff

SHA512
1e9f543308d533cf79305e0d978dd42b1f55ee096edd76c4bcc04bd2e0cbcf8782bfcc7c4011546b227178fcd1726ffb24ef867f72227f6f8c0b6e1816468342

Download Submit
C:\Windows\SysWOW64\Hlakpp32.exe
Filesize
465KB

MD5
46f14a2ae3e6cca1f1ecda92c251248e

SHA1
46f5aabb1a7dfa858b8386be59605b7099ed52d9

SHA256
8f3701a343763b7ec77e85f1a64def7905a74c42f0d7b4ca550430c52e1a7ed0

SHA512
a9257e41bf03fb09ebd5a8f9839676afae0819af9de3e63a08f8b539af73e20c10e92962724914076dd356c4e66cedef889ea59780308bf019a8a4bbd1b329e0

Download Submit
C:\Windows\SysWOW64\Hlcgeo32.exe
Filesize
465KB

MD5
3ca5510caa6820facb55fc5245503ca6

SHA1
4ab92b480a48a1a733386b2ecdf0b40f57ab246a

SHA256
7f7c7676f18c384b39cf6de5d604b79255a6abad7099f71e27f014bbac6525dc

SHA512
28e27cc3b513cdfd44303f2c0f8277cb43a6b7d9a6f2e4fedbb60fbf594313a676083ceef09148d29b2bf094f991e90b64d6c49e8c24dadaf77fad5072d69b40

Download Submit
C:\Windows\SysWOW64\Hobcak32.exe
Filesize
465KB

MD5
156aac5287a5aff9a522d9db95ff7660

SHA1
ca46da348584b4e6fa13556b0279716dfcfcee48

SHA256
48b5610566360071a603a1a7e57c20bb40fe313a7a5b8da04a1fa6d3793a0863

SHA512
f2cbea8193fb7049a539482b3a89c650d8d48ca6cbb21afcd77371e5e0ba9d2dc95fd2b845d589f9f85050eb5ca30ac26393e0d28c8e94dfcc00ebd81d19eeed

Download Submit
C:\Windows\SysWOW64\Hogmmjfo.exe
Filesize
465KB

MD5
2ef8a4e29382dec4dff2a386935c847e

SHA1
558e43798a1fcdce25de49afc825622b3865eba2

SHA256
5b089b00147d1cebab93f593d4453cf0b5214feb0e895c8a74784870b709cc13

SHA512
04725ea8f21d72ed4d6b73e722c69f170b09017c923589d858774913452a83fb554a9cd19da36bd73e8a493155d47587af2ea617d9930cf83225194a7457fbaa

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
465KB

MD5
bd4349ab0aed5485bdf67d5be3e3201d

SHA1
f63bef201d65f38508ba7614355c9c789e50602d

SHA256
9353ab13339d8670e7bd15173c7dca43a091d97a4b9785132d933118e77d5756

SHA512
a658f69f023ebdf15ec16f06ef6b0a81a9fe5f62ee354c7ef581f290e025e9d041f2a0d6bbb6076ae9e5438f394c066ae1a4d523637b367ad7d038ce4d8a9b65

Download Submit
C:\Windows\SysWOW64\Ieqeidnl.exe
Filesize
465KB

MD5
f7e575c1ccd2977dca23ca67edac525a

SHA1
e461c1173f27f139874669d3c2b5a46d2bb7013d

SHA256
3f313ae82aa46c948c1cd502740e2054543ff6fdcd866539f339d7ccb891192b

SHA512
dadaf43eafa6e2534622baa3317263b389027dd3a77f7596a178685a5649bfdd3f62a070f8d0a098989ded976f1e65222779226bac03a1d4a3f3b8f9197cf674

Download Submit
C:\Windows\SysWOW64\Ihoafpmp.exe
Filesize
465KB

MD5
1731988b6e943f8e27a1022ebdbfcd91

SHA1
35244c0c9234fcb936cfae5ff8c0542411b3690b

SHA256
59061f5aa01abb266ccb591f61a54cd6f521d8747382d0927495845ca27ea392

SHA512
6d5c07077dca71a85406e38ec461b14b91212a03ea5c2263c72a248e183611daa58928966bb5c95f679797afb219780a279067b739674e9928cc3bfbd46dbaf7

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe
Filesize
465KB

MD5
f35e9d60b6a0800aec3681df6be1eab0

SHA1
cd0a08fe424b52a7a90f683e8198b975985c1b7d

SHA256
8562b229ca137b29d79df2369ee1be818656065c02063acf0700542adb934678

SHA512
5f118a52297330f53f8d1b3ec6454a2b54a2d01ae243df4dfe68b8a556d27fa8b4348467a6bd68ebea4d7e8a9d2cbf8549fd506793a812994efda2fd6570104f

Download Submit
\Windows\SysWOW64\Fbdqmghm.exe
Filesize
465KB

MD5
cd2455f3cee81f39f1c85f4b7f6a63d3

SHA1
8defcb14d74de7cad012bc7e4f5f742191597261

SHA256
b36eb7b44f9c1c820821850edd28616a2878a0d2448d174a99bbb94e5bcc7290

SHA512
6f20b08a36a2d5f0e026a78ea6929916fbe7553bd8de0821dbafe8454cedce097627ef2b0d42321eaf53a4637531e946603e79407553dbd400d6db7556c5875a

Download Submit
\Windows\SysWOW64\Ghhofmql.exe
Filesize
465KB

MD5
cace08d62a668d7e9366eeebe06ccdf3

SHA1
2d0fe0858f2595822106184970b08579ee15e894

SHA256
107b8338a65a8a195d82665920270b116bcea812ca58cbde02038e1b81d7f6d3

SHA512
cd015a082f844f012e3c1d6bdf16903a17a9cb6022fbba6112fd3666cb81eceaf6f8fca4847a3b152acf011d68ba5e8dbc558cb4203f79d203669499b85a52dd

Download Submit
\Windows\SysWOW64\Hckcmjep.exe
Filesize
465KB

MD5
5c64dd430f7bccaf94873557da9d1d7e

SHA1
36b3a01a18491d59ea03a664d8e07b5610b7bdde

SHA256
859a40af4aa795403d2141ec50049bf6bf2eb9c0ff4e3c4ff6cec156915f5ec1

SHA512
cf3da328358254962f504eb20cca915a4e384200adcf4c88107427ea6d970867b74a8852368504743a11681b2a4d45782a90005ce6a165a925d7cb9300a19e2c

Download Submit
memory/292-116-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/292-328-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/292-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-182-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/536-333-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/536-169-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/544-288-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/544-287-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/544-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/544-342-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-245-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/988-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/988-338-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-210-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1216-335-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-197-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-118-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-126-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1412-320-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-255-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1440-339-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-254-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-257-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1708-340-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-263-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1708-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-267-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/1716-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-154-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/1716-331-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-140-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1728-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1728-330-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-277-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1780-341-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-332-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-155-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-167-0x0000000000280000-0x00000000002AF000-memory.dmp

Filesize
188KB

Download
memory/1904-322-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-27-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1904-26-0x00000000002E0000-0x000000000030F000-memory.dmp

Filesize
188KB

Download
memory/1908-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1908-84-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1908-326-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-311-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2008-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-13-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2072-6-0x0000000000260000-0x000000000028F000-memory.dmp

Filesize
188KB

Download
memory/2072-321-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2072-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-230-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2236-235-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2268-219-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2268-336-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2268-211-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-195-0x00000000002D0000-0x00000000002FF000-memory.dmp

Filesize
188KB

Download
memory/2428-334-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2428-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-323-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-41-0x0000000000270000-0x000000000029F000-memory.dmp

Filesize
188KB

Download
memory/2568-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2568-64-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2568-74-0x00000000002F0000-0x000000000031F000-memory.dmp

Filesize
188KB

Download
memory/2568-325-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-327-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2572-98-0x0000000000430000-0x000000000045F000-memory.dmp

Filesize
188KB

Download
memory/2704-55-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2704-324-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2704-42-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-302-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/3028-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-312-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-318-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download
memory/3068-345-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3068-319-0x0000000001F20000-0x0000000001F4F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads