e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Size

226KB
MD5

21805013b2da698ee76294c96a90cb91
SHA1

b4d96d41cde11866e64dbe7fa2d2f2204327adfc
SHA256

e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db
SHA512

5058f2dd68ea726c1b60d9d57ca160e5b2493791cfe5d5bd3edf49c917e37a4b46b2cc9f36bf5dff4c4c943387132d64dbc522639a4bf580fc0590d79a40def1
SSDEEP

6144:tnOKGszzUEXYmpXfxqySSKpRmSKeTk7eT5ABrnL8MdYg:5OJQz335IKrEAlnLAg

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Eiaiqn32.exeHhmepp32.exeGegfdb32.exeHpmgqnfl.exeFilldb32.exeGdopkn32.exeGacpdbej.exee5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exeFlabbihl.exeFbdqmghm.exeHpocfncj.exeGhoegl32.exeIlknfn32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpmgqnfl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gacpdbej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fbdqmghm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hhmepp32.exe

Executes dropped EXE 13 IoCs

Processes:

Eiaiqn32.exeFlabbihl.exeFilldb32.exeFbdqmghm.exeGegfdb32.exeGdopkn32.exeGacpdbej.exeGhoegl32.exeHpmgqnfl.exeHpocfncj.exeHhmepp32.exeIlknfn32.exeIagfoe32.exe

pid	process
1412	Eiaiqn32.exe
2448	Flabbihl.exe
2700	Filldb32.exe
2672	Fbdqmghm.exe
2512	Gegfdb32.exe
2972	Gdopkn32.exe
1844	Gacpdbej.exe
2864	Ghoegl32.exe
1520	Hpmgqnfl.exe
2012	Hpocfncj.exe
2148	Hhmepp32.exe
948	Ilknfn32.exe
2032	Iagfoe32.exe

Loads dropped DLL 30 IoCs

Processes:

e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exeEiaiqn32.exeFlabbihl.exeFilldb32.exeFbdqmghm.exeGegfdb32.exeGdopkn32.exeGacpdbej.exeGhoegl32.exeHpmgqnfl.exeHpocfncj.exeHhmepp32.exeIlknfn32.exeWerFault.exe

pid	process
2936	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
2936	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
1412	Eiaiqn32.exe
1412	Eiaiqn32.exe
2448	Flabbihl.exe
2448	Flabbihl.exe
2700	Filldb32.exe
2700	Filldb32.exe
2672	Fbdqmghm.exe
2672	Fbdqmghm.exe
2512	Gegfdb32.exe
2512	Gegfdb32.exe
2972	Gdopkn32.exe
2972	Gdopkn32.exe
1844	Gacpdbej.exe
1844	Gacpdbej.exe
2864	Ghoegl32.exe
2864	Ghoegl32.exe
1520	Hpmgqnfl.exe
1520	Hpmgqnfl.exe
2012	Hpocfncj.exe
2012	Hpocfncj.exe
2148	Hhmepp32.exe
2148	Hhmepp32.exe
948	Ilknfn32.exe
948	Ilknfn32.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe
316	WerFault.exe

Drops file in System32 directory 39 IoCs

Processes:

Flabbihl.exeGegfdb32.exeGdopkn32.exeGacpdbej.exeGhoegl32.exeHhmepp32.exee5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exeEiaiqn32.exeFilldb32.exeFbdqmghm.exeHpocfncj.exeIlknfn32.exeHpmgqnfl.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Filldb32.exe	Flabbihl.exe
File created	C:\Windows\SysWOW64\Blnhfb32.dll	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Elpbcapg.dll	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Ghoegl32.exe	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Hgpdcgoc.dll	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Ilknfn32.exe	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Pdpfph32.dll	Hhmepp32.exe
File created	C:\Windows\SysWOW64\Eiaiqn32.exe	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
File opened for modification	C:\Windows\SysWOW64\Eiaiqn32.exe	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
File opened for modification	C:\Windows\SysWOW64\Flabbihl.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Fbdqmghm.exe	Filldb32.exe
File opened for modification	C:\Windows\SysWOW64\Gegfdb32.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File created	C:\Windows\SysWOW64\Flabbihl.exe	Eiaiqn32.exe
File created	C:\Windows\SysWOW64\Clphjpmh.dll	Filldb32.exe
File created	C:\Windows\SysWOW64\Hhmepp32.exe	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Hhmepp32.exe	Hpocfncj.exe
File created	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Ajlppdeb.dll	Eiaiqn32.exe
File opened for modification	C:\Windows\SysWOW64\Fbdqmghm.exe	Filldb32.exe
File created	C:\Windows\SysWOW64\Gegfdb32.exe	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Dhggeddb.dll	Flabbihl.exe
File created	C:\Windows\SysWOW64\Gpekfank.dll	Gacpdbej.exe
File created	C:\Windows\SysWOW64\Bdhaablp.dll	Hpocfncj.exe
File opened for modification	C:\Windows\SysWOW64\Ilknfn32.exe	Hhmepp32.exe
File opened for modification	C:\Windows\SysWOW64\Gdopkn32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Hpmgqnfl.exe	Ghoegl32.exe
File opened for modification	C:\Windows\SysWOW64\Iagfoe32.exe	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Filldb32.exe	Flabbihl.exe
File opened for modification	C:\Windows\SysWOW64\Gacpdbej.exe	Gdopkn32.exe
File opened for modification	C:\Windows\SysWOW64\Hpocfncj.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Gjenmobn.dll	Ilknfn32.exe
File created	C:\Windows\SysWOW64\Bibckiab.dll	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
File created	C:\Windows\SysWOW64\Ocjcidbb.dll	Fbdqmghm.exe
File created	C:\Windows\SysWOW64\Gdopkn32.exe	Gegfdb32.exe
File created	C:\Windows\SysWOW64\Ghoegl32.exe	Gacpdbej.exe
File opened for modification	C:\Windows\SysWOW64\Hpmgqnfl.exe	Ghoegl32.exe
File created	C:\Windows\SysWOW64\Hpocfncj.exe	Hpmgqnfl.exe
File created	C:\Windows\SysWOW64\Hciofb32.dll	Hpmgqnfl.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process

316 2032 WerFault.exe

pid	pid_target	process
316	2032	WerFault.exe

Modifies registry class 42 IoCs

Processes:

Filldb32.exeFbdqmghm.exeGdopkn32.exee5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exeFlabbihl.exeGhoegl32.exeHpocfncj.exeHhmepp32.exeEiaiqn32.exeGacpdbej.exeHpmgqnfl.exeGegfdb32.exeIlknfn32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Filldb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhggeddb.dll"	Flabbihl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ghoegl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpocfncj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hhmepp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpekfank.dll"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hciofb32.dll"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhaablp.dll"	Hpocfncj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clphjpmh.dll"	Filldb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gdopkn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Gegfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Gacpdbej.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Flabbihl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blnhfb32.dll"	Gegfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbcapg.dll"	Gdopkn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Hpmgqnfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibckiab.dll"	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlppdeb.dll"	Eiaiqn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocjcidbb.dll"	Fbdqmghm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpdcgoc.dll"	Ghoegl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfph32.dll"	Hhmepp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ilknfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjenmobn.dll"	Ilknfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Filldb32.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

description	pid	process	target process
PID 2936 wrote to memory of 1412	2936	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe	Eiaiqn32.exe
PID 2936 wrote to memory of 1412	2936	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe	Eiaiqn32.exe
PID 2936 wrote to memory of 1412	2936	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe	Eiaiqn32.exe
PID 2936 wrote to memory of 1412	2936	e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe	Eiaiqn32.exe
PID 1412 wrote to memory of 2448	1412	Eiaiqn32.exe	Flabbihl.exe
PID 1412 wrote to memory of 2448	1412	Eiaiqn32.exe	Flabbihl.exe
PID 1412 wrote to memory of 2448	1412	Eiaiqn32.exe	Flabbihl.exe
PID 1412 wrote to memory of 2448	1412	Eiaiqn32.exe	Flabbihl.exe
PID 2448 wrote to memory of 2700	2448	Flabbihl.exe	Filldb32.exe
PID 2448 wrote to memory of 2700	2448	Flabbihl.exe	Filldb32.exe
PID 2448 wrote to memory of 2700	2448	Flabbihl.exe	Filldb32.exe
PID 2448 wrote to memory of 2700	2448	Flabbihl.exe	Filldb32.exe
PID 2700 wrote to memory of 2672	2700	Filldb32.exe	Fbdqmghm.exe
PID 2700 wrote to memory of 2672	2700	Filldb32.exe	Fbdqmghm.exe
PID 2700 wrote to memory of 2672	2700	Filldb32.exe	Fbdqmghm.exe
PID 2700 wrote to memory of 2672	2700	Filldb32.exe	Fbdqmghm.exe
PID 2672 wrote to memory of 2512	2672	Fbdqmghm.exe	Gegfdb32.exe
PID 2672 wrote to memory of 2512	2672	Fbdqmghm.exe	Gegfdb32.exe
PID 2672 wrote to memory of 2512	2672	Fbdqmghm.exe	Gegfdb32.exe
PID 2672 wrote to memory of 2512	2672	Fbdqmghm.exe	Gegfdb32.exe
PID 2512 wrote to memory of 2972	2512	Gegfdb32.exe	Gdopkn32.exe
PID 2512 wrote to memory of 2972	2512	Gegfdb32.exe	Gdopkn32.exe
PID 2512 wrote to memory of 2972	2512	Gegfdb32.exe	Gdopkn32.exe
PID 2512 wrote to memory of 2972	2512	Gegfdb32.exe	Gdopkn32.exe
PID 2972 wrote to memory of 1844	2972	Gdopkn32.exe	Gacpdbej.exe
PID 2972 wrote to memory of 1844	2972	Gdopkn32.exe	Gacpdbej.exe
PID 2972 wrote to memory of 1844	2972	Gdopkn32.exe	Gacpdbej.exe
PID 2972 wrote to memory of 1844	2972	Gdopkn32.exe	Gacpdbej.exe
PID 1844 wrote to memory of 2864	1844	Gacpdbej.exe	Ghoegl32.exe
PID 1844 wrote to memory of 2864	1844	Gacpdbej.exe	Ghoegl32.exe
PID 1844 wrote to memory of 2864	1844	Gacpdbej.exe	Ghoegl32.exe
PID 1844 wrote to memory of 2864	1844	Gacpdbej.exe	Ghoegl32.exe
PID 2864 wrote to memory of 1520	2864	Ghoegl32.exe	Hpmgqnfl.exe
PID 2864 wrote to memory of 1520	2864	Ghoegl32.exe	Hpmgqnfl.exe
PID 2864 wrote to memory of 1520	2864	Ghoegl32.exe	Hpmgqnfl.exe
PID 2864 wrote to memory of 1520	2864	Ghoegl32.exe	Hpmgqnfl.exe
PID 1520 wrote to memory of 2012	1520	Hpmgqnfl.exe	Hpocfncj.exe
PID 1520 wrote to memory of 2012	1520	Hpmgqnfl.exe	Hpocfncj.exe
PID 1520 wrote to memory of 2012	1520	Hpmgqnfl.exe	Hpocfncj.exe
PID 1520 wrote to memory of 2012	1520	Hpmgqnfl.exe	Hpocfncj.exe
PID 2012 wrote to memory of 2148	2012	Hpocfncj.exe	Hhmepp32.exe
PID 2012 wrote to memory of 2148	2012	Hpocfncj.exe	Hhmepp32.exe
PID 2012 wrote to memory of 2148	2012	Hpocfncj.exe	Hhmepp32.exe
PID 2012 wrote to memory of 2148	2012	Hpocfncj.exe	Hhmepp32.exe
PID 2148 wrote to memory of 948	2148	Hhmepp32.exe	Ilknfn32.exe
PID 2148 wrote to memory of 948	2148	Hhmepp32.exe	Ilknfn32.exe
PID 2148 wrote to memory of 948	2148	Hhmepp32.exe	Ilknfn32.exe
PID 2148 wrote to memory of 948	2148	Hhmepp32.exe	Ilknfn32.exe
PID 948 wrote to memory of 2032	948	Ilknfn32.exe	Iagfoe32.exe
PID 948 wrote to memory of 2032	948	Ilknfn32.exe	Iagfoe32.exe
PID 948 wrote to memory of 2032	948	Ilknfn32.exe	Iagfoe32.exe
PID 948 wrote to memory of 2032	948	Ilknfn32.exe	Iagfoe32.exe
PID 2032 wrote to memory of 316	2032	Iagfoe32.exe	WerFault.exe
PID 2032 wrote to memory of 316	2032	Iagfoe32.exe	WerFault.exe
PID 2032 wrote to memory of 316	2032	Iagfoe32.exe	WerFault.exe
PID 2032 wrote to memory of 316	2032	Iagfoe32.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe
"C:\Users\Admin\AppData\Local\Temp\e5970cbfc05f325680562c74bb0dbf6843d9d4a0aafc7fdd1d13a3c2840782db.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\Eiaiqn32.exe
C:\Windows\system32\Eiaiqn32.exe
2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1412

C:\Windows\SysWOW64\Flabbihl.exe
C:\Windows\system32\Flabbihl.exe
3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\SysWOW64\Filldb32.exe
C:\Windows\system32\Filldb32.exe
4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\Fbdqmghm.exe
C:\Windows\system32\Fbdqmghm.exe
5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\SysWOW64\Gegfdb32.exe
C:\Windows\system32\Gegfdb32.exe
6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\Gdopkn32.exe
C:\Windows\system32\Gdopkn32.exe
7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972

C:\Windows\SysWOW64\Gacpdbej.exe
C:\Windows\system32\Gacpdbej.exe
8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\Ghoegl32.exe
C:\Windows\system32\Ghoegl32.exe
9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\Hpmgqnfl.exe
C:\Windows\system32\Hpmgqnfl.exe
10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\SysWOW64\Hpocfncj.exe
C:\Windows\system32\Hpocfncj.exe
11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\Hhmepp32.exe
C:\Windows\system32\Hhmepp32.exe
12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\Ilknfn32.exe
C:\Windows\system32\Ilknfn32.exe
13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\SysWOW64\Iagfoe32.exe
C:\Windows\system32\Iagfoe32.exe
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 140
15⤵
- Loads dropped DLL
- Program crash
PID:316

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Fbdqmghm.exe
Filesize
226KB

MD5
20f22846c7ad8b38e8887dfa84185056

SHA1
f77faee71024981fed322c9693eb3b14ed04a483

SHA256
68da3fc56728db90789e7599acfda1d454d7f95aac02ac68b66830b98b6e3e86

SHA512
446cfbcc6eea12b8814af2bdfe016bf359e3ee19a29c57a8f230d5af6d40c13cd54a68a80dc735f3fb648d1f0aa01c40bf87b086e663eb517dc1d0b34e932a76

Download Submit
C:\Windows\SysWOW64\Gdopkn32.exe
Filesize
226KB

MD5
4bc3bcb2c8967507619a0bf592a5fc7e

SHA1
46d816a47bdf10c05724331a49fda88b91c42cc0

SHA256
0325994da53e46b3cad7f20d7d7c14aeeb957d35d408e49e1cb167d3f45ab0e1

SHA512
45c2776beb38ea4d03d0034af6bf178fc809b2c568b602c42456173215853b7f41c1e30ebdaf4a5d37976baf9bd3368e4acd4040b0d54ef93e26fb8fa6ff6b45

Download Submit
C:\Windows\SysWOW64\Hpmgqnfl.exe
Filesize
226KB

MD5
867b5059e96634480a7d707fdd28ab70

SHA1
c7913b4c1baaf63882267cf7674eee7a52b1341e

SHA256
90227ef5b62a0ecf52d271be62ede9fbb7fefac9272fa6f2dfc32f767f580ad8

SHA512
fbc40c2d922e439e267025d823fce3226d25c037be897e45b23530d4d978d20aa88040f29f2d376383bcfbe5c644bef07b0b4579eef2ed2fcd8921df3dc69b01

Download Submit
C:\Windows\SysWOW64\Iagfoe32.exe
Filesize
226KB

MD5
b9272dd49ea6accf6955b7fa719f00c7

SHA1
23488791a1afbc3bdc736fe87d35a87629efae39

SHA256
f514e609a8b456303e76e0b9a7fea438fb373bbaeb504ccc647d05b30eb01680

SHA512
af3bb608d388518f901774e050eca21f8fb7c254188cd49bf7d04313ff75e5bd137e434b53175582d07e635af993cdc0009630001ee9efe2d9068d7e1fd40d44

Download Submit
C:\Windows\SysWOW64\Ilknfn32.exe
Filesize
226KB

MD5
546fa8198d12236e65a58c0a4782e2ed

SHA1
393565587adae402055cd207b60f9a92c5ed3712

SHA256
99be84e16aacba047b34ba0f66a79a1a32c669e9ce21aef7d98bf46f9f34bfc9

SHA512
d51dc4c6aee7138d67af404ee1956f6b01d946b35474ca45d8919d99be52081b6248fc7ccb2d7a26aa9a6f2a8cc6e1200cc361b769f15017ccf00a811290aba1

Download Submit
C:\Windows\SysWOW64\Ocjcidbb.dll
Filesize
7KB

MD5
72b1a043124a479d8d06ee54c049ad73

SHA1
c81cdb1762f9c225843769ab947d4629aa4cc59c

SHA256
a95e915ffa6b319d476c50fbdfd2c4d7baeb7023679aafa3ce4f01fd49c6e24d

SHA512
9ec0341ca43e63de96629fe45fc387273a0d8253614cb3d2fb641bad5558b317e011a172a9edfe1c0e1ff92d55c6ddef93cfc162b65fbf57e2a85e03871aa6f5

Download Submit
\Windows\SysWOW64\Eiaiqn32.exe
Filesize
226KB

MD5
62828e19e718000c3a963d6ffc466f73

SHA1
eb0299c9a059838bc131d21dd4e2dc405f8d0dc0

SHA256
32ba70d8a8d21909058dc9af5186a5180e3229d66e459dbf40012f0967303824

SHA512
ec1ddee8f78feef27581c640db3f6f18f357254b148499b52683fd72087a5e86dc30e6a5838c403f0d3d7c2a0c2bd04ca2a35ee257cb3fc9b9d55290c4b8b478

Download Submit
\Windows\SysWOW64\Filldb32.exe
Filesize
226KB

MD5
cf519fa0b2908905628990014bcc3b42

SHA1
a0b35562d6e54c5e66974383052324703c396174

SHA256
c83304bf6c724ebd4b5d0e2e30e7a71e10d76916b9837ed813bbcd43dce104f5

SHA512
1a0e6d0593d9d5b9be48c93ac5a2676393bfb74845232d386c228b6e2cf02cf25c1000a463c0d54581fbbc11e16bfedc268377c3e46b540b4daf79c9c5673edf

Download Submit
\Windows\SysWOW64\Flabbihl.exe
Filesize
226KB

MD5
01109907aca01bf5ba81a24e4466c264

SHA1
ac089d4c696d6796f4ee5229df8f44e510ccdc14

SHA256
1ce5f369692cf3c097cdbc4196dc4596ef651f67ca376d58b65dafb30775eb98

SHA512
959f57fa4c7975f2dfbff3b23306cb322ed20652603776564fa43d68c6fbed2fe3ae8dfc9a88288992b00b311a06d14e88a65108a53ddfb8915fe774486f6233

Download Submit
\Windows\SysWOW64\Gacpdbej.exe
Filesize
226KB

MD5
3c38917894b4bc17f169ea40af15e5f7

SHA1
d255c650ce60840aedd11bcdc115b6cbb979fc68

SHA256
7994dfb65222fbb0bc1d4a8483c7258d60c6440ea5aa2251a5a478a378233099

SHA512
2063e888c18ce6de42c58a8f3951cc1577a5f6914e9e1a894695518a3b8427ba983ceca275902c65bfe5e825bb3d8b98d654d46af1e4dcef40172ded4c7b5c8c

Download Submit
\Windows\SysWOW64\Gegfdb32.exe
Filesize
226KB

MD5
da345721e80864af6c00878d9e9b5e00

SHA1
6ee146f19c5a56daa3a85f68d1de68b4901f9c7c

SHA256
ed60d692b16a24d952015daa9c9b5502b465db66134a968a19f733f9cc459220

SHA512
df084424e14a833e0e9cb7c011ccd98df5d5a49da06b195ee069ca17195f1b9166eb1440cd653641b2d522891679d42936ee1e5998cc668335d92b97a50355dd

Download Submit
\Windows\SysWOW64\Ghoegl32.exe
Filesize
226KB

MD5
f16bd6d832ab99e165aa18c00d355452

SHA1
c3ab637f598a1cba4302ac2c9abe7815baaed6e5

SHA256
243c4cd1f920a22e76cad3995beaafebc3d5a5ee722fa4277c34d14d2afd1d0c

SHA512
76afaed3105402d093cedf57d1996ea9249b133d83bf8b2f3903e1331eb25fcb881298ed09d64a95770988ae8c48332b05387f56a773330aa83394db978a8a95

Download Submit
\Windows\SysWOW64\Hhmepp32.exe
Filesize
226KB

MD5
bedc10d65c799ac154fca6d00172b800

SHA1
d82ff4bf8bcb15b7f8de2dd4f34cd57ef23c37c3

SHA256
93de9af357e3dafcdf33b64bb88dc21eb8ccbed5e48bf681f21b833a4ad2e8d2

SHA512
ef01584802b9f2ad27a36114c9645254a7bf1cd8cf3f94044e881c8e18251ccd8a092587bbedbd1fdd7758b78773c486eca3cf994894859349c8c656f2844691

Download Submit
\Windows\SysWOW64\Hpocfncj.exe
Filesize
226KB

MD5
6f5caedcfb0815f0030d2002fd21e0bf

SHA1
1348abade72d89f7c2e365ff82dc26d3bc9ee1e2

SHA256
5b2366daa3234a833b26fbb7e843b91725d4958b8e96a06e7211b6f03ae74fad

SHA512
808a71eea23418fcaa47d43b810c1307c932bd019c5cc9f28e2804bf18962d1d705f529d6ff34fc000408aeb7ec3a386fec59d66a7594a7f1e0c8a7b068d44f7

Download Submit
memory/948-190-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/948-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-26-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1412-13-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1412-25-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1412-181-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1520-187-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1520-134-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/1520-122-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1844-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2012-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2032-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-149-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-185-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2512-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-68-0x0000000000450000-0x0000000000491000-memory.dmp

Filesize
260KB

Download
memory/2672-55-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2672-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2700-53-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2864-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2936-6-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2972-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-82-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2972-100-0x0000000000310000-0x0000000000351000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads