efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/08/2024, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Size

85KB
MD5

833bcacde5bcd0fedcfdc1b52ed66fa1
SHA1

40967b4ffd25e1d150c09868d73c48aef0439552
SHA256

efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c
SHA512

aa9f6c0f155acf2e53b8205415e708ca6455139021571051b54834f718e75422cd8aa4146cfc1555865eeb6e6f97e6104fdc5c0fcbc15d070f0eb6f114575b26
SSDEEP

1536:RxcJZZZ/QDLFk4IH2OG8/QO5w1kAYG4dPIqH2LHxMQ262AjCsQ2PCZZrqOlNfVSc:Rsw1k5d+HxMQH2qC7ZQOlzSLUK+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmbmeifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mbcoio32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ngealejo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Omklkkpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cileqlmg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhknaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lbcbjlmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pepcelel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlnpgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odgamdef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pepcelel.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmbmeifk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmkhjncg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhknaf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mbcoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lbcbjlmb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mqklqhpg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlnpgd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaimopli.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnpciaef.exe

Executes dropped EXE 23 IoCs

pid	Process
3052	Lhknaf32.exe
2944	Lbcbjlmb.exe
2676	Mqklqhpg.exe
2692	Mmbmeifk.exe
2668	Mbcoio32.exe
2548	Nlnpgd32.exe
380	Ngealejo.exe
1200	Omklkkpl.exe
2068	Odgamdef.exe
1972	Phlclgfc.exe
1740	Pepcelel.exe
2588	Pmkhjncg.exe
2152	Qlgkki32.exe
2148	Aaimopli.exe
1148	Achjibcl.exe
1296	Adnpkjde.exe
616	Bqeqqk32.exe
1580	Bnknoogp.exe
1288	Bqlfaj32.exe
2296	Cileqlmg.exe
2492	Ckmnbg32.exe
1260	Dnpciaef.exe
1436	Dpapaj32.exe

Loads dropped DLL 49 IoCs

pid	Process
2464	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
2464	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
3052	Lhknaf32.exe
3052	Lhknaf32.exe
2944	Lbcbjlmb.exe
2944	Lbcbjlmb.exe
2676	Mqklqhpg.exe
2676	Mqklqhpg.exe
2692	Mmbmeifk.exe
2692	Mmbmeifk.exe
2668	Mbcoio32.exe
2668	Mbcoio32.exe
2548	Nlnpgd32.exe
2548	Nlnpgd32.exe
380	Ngealejo.exe
380	Ngealejo.exe
1200	Omklkkpl.exe
1200	Omklkkpl.exe
2068	Odgamdef.exe
2068	Odgamdef.exe
1972	Phlclgfc.exe
1972	Phlclgfc.exe
1740	Pepcelel.exe
1740	Pepcelel.exe
2588	Pmkhjncg.exe
2588	Pmkhjncg.exe
2152	Qlgkki32.exe
2152	Qlgkki32.exe
2148	Aaimopli.exe
2148	Aaimopli.exe
1148	Achjibcl.exe
1148	Achjibcl.exe
1296	Adnpkjde.exe
1296	Adnpkjde.exe
616	Bqeqqk32.exe
616	Bqeqqk32.exe
1580	Bnknoogp.exe
1580	Bnknoogp.exe
1288	Bqlfaj32.exe
1288	Bqlfaj32.exe
2296	Cileqlmg.exe
2296	Cileqlmg.exe
2492	Ckmnbg32.exe
2492	Ckmnbg32.exe
1260	Dnpciaef.exe
1260	Dnpciaef.exe
2444	WerFault.exe
2444	WerFault.exe
2444	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Aaimopli.exe	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	Achjibcl.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	Achjibcl.exe
File created	C:\Windows\SysWOW64\Ngealejo.exe	Nlnpgd32.exe
File opened for modification	C:\Windows\SysWOW64\Ngealejo.exe	Nlnpgd32.exe
File created	C:\Windows\SysWOW64\Pepcelel.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Aaimopli.exe	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Dnpciaef.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Mqklqhpg.exe	Lbcbjlmb.exe
File created	C:\Windows\SysWOW64\Omklkkpl.exe	Ngealejo.exe
File created	C:\Windows\SysWOW64\Bibjaofg.dll	Pepcelel.exe
File opened for modification	C:\Windows\SysWOW64\Phlclgfc.exe	Odgamdef.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	Achjibcl.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bqeqqk32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Cileqlmg.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Nlnpgd32.exe	Mbcoio32.exe
File created	C:\Windows\SysWOW64\Nfcakjoj.dll	Nlnpgd32.exe
File created	C:\Windows\SysWOW64\Odgamdef.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Lhknaf32.exe	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
File created	C:\Windows\SysWOW64\Mjpbcokk.dll	Omklkkpl.exe
File opened for modification	C:\Windows\SysWOW64\Bqeqqk32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Pmkhjncg.exe	Pepcelel.exe
File created	C:\Windows\SysWOW64\Opobfpee.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Pmiljc32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Lbcbjlmb.exe	Lhknaf32.exe
File opened for modification	C:\Windows\SysWOW64\Nlnpgd32.exe	Mbcoio32.exe
File created	C:\Windows\SysWOW64\Mpioba32.dll	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Phlclgfc.exe	Odgamdef.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cileqlmg.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Lbcbjlmb.exe	Lhknaf32.exe
File opened for modification	C:\Windows\SysWOW64\Mbcoio32.exe	Mmbmeifk.exe
File created	C:\Windows\SysWOW64\Giddhc32.dll	Ngealejo.exe
File created	C:\Windows\SysWOW64\Mbcoio32.exe	Mmbmeifk.exe
File created	C:\Windows\SysWOW64\Fbbnekdd.dll	Pmkhjncg.exe
File created	C:\Windows\SysWOW64\Dkppib32.dll	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Cileqlmg.exe	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Pepcelel.exe	Phlclgfc.exe
File created	C:\Windows\SysWOW64\Mfhmmndi.dll	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bqeqqk32.exe	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Mmbmeifk.exe	Mqklqhpg.exe
File created	C:\Windows\SysWOW64\Ladpkl32.dll	Mmbmeifk.exe
File created	C:\Windows\SysWOW64\Dnpciaef.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Qeeheknp.dll	Mbcoio32.exe
File created	C:\Windows\SysWOW64\Achjibcl.exe	Aaimopli.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bqeqqk32.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dnpciaef.exe
File opened for modification	C:\Windows\SysWOW64\Omklkkpl.exe	Ngealejo.exe
File opened for modification	C:\Windows\SysWOW64\Odgamdef.exe	Omklkkpl.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Mqklqhpg.exe	Lbcbjlmb.exe
File created	C:\Windows\SysWOW64\Nlcgpm32.dll	Lbcbjlmb.exe
File opened for modification	C:\Windows\SysWOW64\Pmkhjncg.exe	Pepcelel.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dnpciaef.exe
File created	C:\Windows\SysWOW64\Cgknkqan.dll	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
File created	C:\Windows\SysWOW64\Obecdjcn.dll	Odgamdef.exe
File created	C:\Windows\SysWOW64\Cmbfdl32.dll	Bqlfaj32.exe
File opened for modification	C:\Windows\SysWOW64\Qlgkki32.exe	Pmkhjncg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2444	1436	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmbmeifk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmkhjncg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqeqqk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lbcbjlmb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Phlclgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaimopli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cileqlmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lhknaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mqklqhpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlnpgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngealejo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnpciaef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achjibcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mbcoio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Omklkkpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgamdef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pepcelel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mbcoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeeheknp.dll"	Mbcoio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bqeqqk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cileqlmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcgpm32.dll"	Lbcbjlmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lbcbjlmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ngealejo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfkbadh.dll"	Lhknaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll"	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lbcbjlmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaimopli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgknkqan.dll"	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mbcoio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmkhjncg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnpciaef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ladpkl32.dll"	Mmbmeifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhknaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngealejo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmbmeifk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odgamdef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll"	Odgamdef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Phlclgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll"	Pepcelel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dnpciaef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhknaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omklkkpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgamdef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqeqqk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpioba32.dll"	Phlclgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjfphd.dll"	Mqklqhpg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcakjoj.dll"	Nlnpgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll"	Omklkkpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Achjibcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Achjibcl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 3052	2464	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe	31
PID 2464 wrote to memory of 3052	2464	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe	31
PID 2464 wrote to memory of 3052	2464	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe	31
PID 2464 wrote to memory of 3052	2464	efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe	31
PID 3052 wrote to memory of 2944	3052	Lhknaf32.exe	32
PID 3052 wrote to memory of 2944	3052	Lhknaf32.exe	32
PID 3052 wrote to memory of 2944	3052	Lhknaf32.exe	32
PID 3052 wrote to memory of 2944	3052	Lhknaf32.exe	32
PID 2944 wrote to memory of 2676	2944	Lbcbjlmb.exe	33
PID 2944 wrote to memory of 2676	2944	Lbcbjlmb.exe	33
PID 2944 wrote to memory of 2676	2944	Lbcbjlmb.exe	33
PID 2944 wrote to memory of 2676	2944	Lbcbjlmb.exe	33
PID 2676 wrote to memory of 2692	2676	Mqklqhpg.exe	34
PID 2676 wrote to memory of 2692	2676	Mqklqhpg.exe	34
PID 2676 wrote to memory of 2692	2676	Mqklqhpg.exe	34
PID 2676 wrote to memory of 2692	2676	Mqklqhpg.exe	34
PID 2692 wrote to memory of 2668	2692	Mmbmeifk.exe	35
PID 2692 wrote to memory of 2668	2692	Mmbmeifk.exe	35
PID 2692 wrote to memory of 2668	2692	Mmbmeifk.exe	35
PID 2692 wrote to memory of 2668	2692	Mmbmeifk.exe	35
PID 2668 wrote to memory of 2548	2668	Mbcoio32.exe	36
PID 2668 wrote to memory of 2548	2668	Mbcoio32.exe	36
PID 2668 wrote to memory of 2548	2668	Mbcoio32.exe	36
PID 2668 wrote to memory of 2548	2668	Mbcoio32.exe	36
PID 2548 wrote to memory of 380	2548	Nlnpgd32.exe	37
PID 2548 wrote to memory of 380	2548	Nlnpgd32.exe	37
PID 2548 wrote to memory of 380	2548	Nlnpgd32.exe	37
PID 2548 wrote to memory of 380	2548	Nlnpgd32.exe	37
PID 380 wrote to memory of 1200	380	Ngealejo.exe	38
PID 380 wrote to memory of 1200	380	Ngealejo.exe	38
PID 380 wrote to memory of 1200	380	Ngealejo.exe	38
PID 380 wrote to memory of 1200	380	Ngealejo.exe	38
PID 1200 wrote to memory of 2068	1200	Omklkkpl.exe	39
PID 1200 wrote to memory of 2068	1200	Omklkkpl.exe	39
PID 1200 wrote to memory of 2068	1200	Omklkkpl.exe	39
PID 1200 wrote to memory of 2068	1200	Omklkkpl.exe	39
PID 2068 wrote to memory of 1972	2068	Odgamdef.exe	40
PID 2068 wrote to memory of 1972	2068	Odgamdef.exe	40
PID 2068 wrote to memory of 1972	2068	Odgamdef.exe	40
PID 2068 wrote to memory of 1972	2068	Odgamdef.exe	40
PID 1972 wrote to memory of 1740	1972	Phlclgfc.exe	41
PID 1972 wrote to memory of 1740	1972	Phlclgfc.exe	41
PID 1972 wrote to memory of 1740	1972	Phlclgfc.exe	41
PID 1972 wrote to memory of 1740	1972	Phlclgfc.exe	41
PID 1740 wrote to memory of 2588	1740	Pepcelel.exe	42
PID 1740 wrote to memory of 2588	1740	Pepcelel.exe	42
PID 1740 wrote to memory of 2588	1740	Pepcelel.exe	42
PID 1740 wrote to memory of 2588	1740	Pepcelel.exe	42
PID 2588 wrote to memory of 2152	2588	Pmkhjncg.exe	43
PID 2588 wrote to memory of 2152	2588	Pmkhjncg.exe	43
PID 2588 wrote to memory of 2152	2588	Pmkhjncg.exe	43
PID 2588 wrote to memory of 2152	2588	Pmkhjncg.exe	43
PID 2152 wrote to memory of 2148	2152	Qlgkki32.exe	44
PID 2152 wrote to memory of 2148	2152	Qlgkki32.exe	44
PID 2152 wrote to memory of 2148	2152	Qlgkki32.exe	44
PID 2152 wrote to memory of 2148	2152	Qlgkki32.exe	44
PID 2148 wrote to memory of 1148	2148	Aaimopli.exe	45
PID 2148 wrote to memory of 1148	2148	Aaimopli.exe	45
PID 2148 wrote to memory of 1148	2148	Aaimopli.exe	45
PID 2148 wrote to memory of 1148	2148	Aaimopli.exe	45
PID 1148 wrote to memory of 1296	1148	Achjibcl.exe	46
PID 1148 wrote to memory of 1296	1148	Achjibcl.exe	46
PID 1148 wrote to memory of 1296	1148	Achjibcl.exe	46
PID 1148 wrote to memory of 1296	1148	Achjibcl.exe	46

C:\Users\Admin\AppData\Local\Temp\efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe
"C:\Users\Admin\AppData\Local\Temp\efeea60e9d477b4393f03c648786ed595c2f44aaa6bc4c57a836134d7ae2c95c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SysWOW64\Lhknaf32.exe
  C:\Windows\system32\Lhknaf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\Lbcbjlmb.exe
    C:\Windows\system32\Lbcbjlmb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\SysWOW64\Mqklqhpg.exe
      C:\Windows\system32\Mqklqhpg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\Mmbmeifk.exe
        
        C:\Windows\system32\Mmbmeifk.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\SysWOW64\Mbcoio32.exe
        
        C:\Windows\system32\Mbcoio32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Nlnpgd32.exe
        
        C:\Windows\system32\Nlnpgd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Ngealejo.exe
        
        C:\Windows\system32\Ngealejo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:380
        
        C:\Windows\SysWOW64\Omklkkpl.exe
        
        C:\Windows\system32\Omklkkpl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\SysWOW64\Odgamdef.exe
        
        C:\Windows\system32\Odgamdef.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\Phlclgfc.exe
        
        C:\Windows\system32\Phlclgfc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\Pepcelel.exe
        
        C:\Windows\system32\Pepcelel.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Pmkhjncg.exe
        
        C:\Windows\system32\Pmkhjncg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Aaimopli.exe
        
        C:\Windows\system32\Aaimopli.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Achjibcl.exe
        
        C:\Windows\system32\Achjibcl.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Adnpkjde.exe
        
        C:\Windows\system32\Adnpkjde.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Bqeqqk32.exe
        
        C:\Windows\system32\Bqeqqk32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Cileqlmg.exe
        
        C:\Windows\system32\Cileqlmg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Dnpciaef.exe
        
        C:\Windows\system32\Dnpciaef.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 144
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aaimopli.exe

Filesize
85KB

MD5
65f217b7cd594676c79a60d0aea6e4bf

SHA1
6d35b33cf832df7b7b41ef22d1c97cbb1fa77f7d

SHA256
f55341978906ad590a54a4ebec39d1374aaa45b7e709faba702cab3956d77318

SHA512
59c953b2f0d6ffa73da537ba2a0be0f2dbf41a5dad1043782ba54ae903d0e0645c4c4ee79053d654e7db8b2d3942421d7e64b7e733139a0ae5b2d017425a029e

Download Submit
C:\Windows\SysWOW64\Bnknoogp.exe

Filesize
85KB

MD5
ac64fcc05c406c50f865f30e691f7eb1

SHA1
990767ae607a5e6f0c35f7451b95fc669bcc60b5

SHA256
d028f75511d96103b4bbc50a9ec224de3292e39852672c6e250826370d438150

SHA512
d64ff98662202b73257c49e594e21dafd36d5a6255ca82645c2d84ad45b4ca6c828819f57c1c140b820fb69c90f228befeaf8c2e976cea2721e73db8933c5d84

Download Submit
C:\Windows\SysWOW64\Bqeqqk32.exe

Filesize
85KB

MD5
60b60614dba2f210bd92406666bf0136

SHA1
d197032a4494f7ab545c879ed28bfc1886cef93c

SHA256
c40fdc42edfd8ede7a3fd95d04b1ab6e0a604555980cca82b890c9ddff541aba

SHA512
a32075c967c5a71d1cdd06673e2e2ee88d079eb36a7cf75b339a456e436c4d25d0daebc1ea3b133795d64d6916fab27ab37769802c7f263d5523f779c72140b9

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
85KB

MD5
4e3f4e4dec539e42a8cb2f0f44da8cf6

SHA1
d5bed43839744b7b83fd5f7c33c2367159a831ab

SHA256
1b9c58149c2ec6557ebbd8350b502ed9361284b7ac777c6b9cc717a0427ffcac

SHA512
1a6108eecdba1b3e38328adb650ae2c8b1224aad7e47ad67c4ec315759d2dba694db6a5bbbf36e94197473a67dfdc8b160846b60bcb7d1352b86eaea8930f014

Download Submit
C:\Windows\SysWOW64\Cileqlmg.exe

Filesize
85KB

MD5
540639755d665b63063337a08e19458f

SHA1
e747401dda302d0f9bf9a572dcabc56a2211f7ee

SHA256
b55727871fc447dc11e20b38d7fccd5dc0d13163097cd42e37ea87c98bd9be2c

SHA512
7428f530645cb94749891f1c9af99a92d297fca5fb2bc9775469195ece11c23fe2309ed62159efd7c3d5fc34447d768bd1c90c4b4831e2640cd391f59f51e61d

Download Submit
C:\Windows\SysWOW64\Ckmnbg32.exe

Filesize
85KB

MD5
4c1a4994b13ed0a3975126b268032759

SHA1
84e996969eddf4d9f4c23fc42aade7a902fb443d

SHA256
fb66b24b661cb932d706cd963b52cd5272aab381fe1383f3b1fe10ca580e5b29

SHA512
8922ede00e1d392a05f8eb7c283e6a77c65a65271e9483d9bba45aaa42e8770fc1673c76a3f9a3626c8b65b73739f0ae6f61b8362e84d24d9699670833701815

Download Submit
C:\Windows\SysWOW64\Dnpciaef.exe

Filesize
85KB

MD5
7e6e0e38f338270459f9ff2f97e42dc9

SHA1
704dc410bb0faf2288ccc65a95e9966a5fb84341

SHA256
6706860ccfa19f894c4028cb40b6ad0c4675393a7f2c0d766053dd662887a3ed

SHA512
39fb9119d981431ed78a8c4730b969828d29969df7eee1a59b1fa519a38ad38fed33deac2e4f98175655c469b32b1ac3582d14655b15a3335ff6c491eeb644d1

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
85KB

MD5
8714f08fe124ea671fff6dcc6178695a

SHA1
3193de187e2467aa46d2d38dddb441ed1428ae1f

SHA256
d7e7b03e6b071ece0ad0c16690d6ed7d2be7360355aa6da196efdb5ef4acd926

SHA512
bc930a79664447c7594de136cd4580a2b3a455a3e2e83f78f349d043cd58a807854052087e339bee67705f46f60bcb19fcee2a33de9c72b8c4c9439711759a68

Download Submit
C:\Windows\SysWOW64\Lbcbjlmb.exe

Filesize
85KB

MD5
9d406b754ffee5cf18cb48dfe6526d0c

SHA1
dc0e38b406d1a288589f49cb8a68da2d9d32cf92

SHA256
0ea65c6919d154cf7c5c72c128001fba1aad9572dd4e2b1ed8b9638ff9f7d2b6

SHA512
752e926eb3bef0d8372555d907806b1bd9776686effd3a1984a3eb9d6a0f90652d607558054aeca391ee304bf042a3474dbcbd8e4c742c2ae41141bb06850d2a

Download Submit
C:\Windows\SysWOW64\Mbcoio32.exe

Filesize
85KB

MD5
88241bac713c8ec6db49dea98ef30c12

SHA1
138d5413d532fd743892fe3d07792ed1727552a2

SHA256
0056715667467f86f1561956ba7c4a43d39f79e23c251b3516ab8e4ae8e2b216

SHA512
3bcf47962d6c37c8858e44d874988905820fcea65d7d96cbbc866317574a8583ed608a6234c8350871a4e5f9294d685acb845eaa84bcdea30abc28904923f7c8

Download Submit
C:\Windows\SysWOW64\Odgamdef.exe

Filesize
85KB

MD5
10edd372e22de07fcd331dad077555fa

SHA1
00e395406cd04a4f4783243d2ac728961d86f7eb

SHA256
b866bd646367e33f579bf2a96a59cb2581ab593868b9391c4cbec5c1aaec09fb

SHA512
f8bf61f7864eca8b0147ee0f1e5e284488334cebe8ccdf42c6b97c3e666ae353bf7dc531903a328423d89c969affe2a1dd657b8f36c3967a4db5baa0ec9789ea

Download Submit
C:\Windows\SysWOW64\Omklkkpl.exe

Filesize
85KB

MD5
0367f485b7e887a18d4dd17682ce93dd

SHA1
ef0c90238c5e3030373477eabdb08597f2e020f2

SHA256
db41d4e3fe3ff7d7ab79e85eb1ca07ee68ac26614fcd5790f80452542ca0efdd

SHA512
9ec67580ff97af900a007afa592de17482560982f86f1fc6067d1daf1ab0954b7d8e25bd3cb66e429a6a75f55a20640c1d1cfb8789402019ff786d9807d4adb5

Download Submit
C:\Windows\SysWOW64\Pepcelel.exe

Filesize
85KB

MD5
0f7b695537f6110eb52d47508ce4d411

SHA1
497d7e3adee4894eb5a2232995ba8ed0eaa71370

SHA256
6092927af5eddf2dbe55d400569efafa4875ae4d605b050cd20ec35029147925

SHA512
0e58d198d547d0fa4d982e9fc7c6a39b42ec41203a27ff8707a288d812771c6b4a5487f553e20676b52e97b1cf89918ed0026470e4d5650ee4c6e2f26044796c

Download Submit
\Windows\SysWOW64\Achjibcl.exe

Filesize
85KB

MD5
f1f6631e0cf7515b810c9bd91baa9ec0

SHA1
630fe1c607969f3af36ba1d4b0e4a64b34f40f51

SHA256
2cf27ef9d7ce026f55e9383036c03597e41355901a3e981893d11d17838f9131

SHA512
911cbf1a4879455961d6903cca182ff23f3704da1df1fd0bc241e4c188276e969ac55e55d2fb42c26b751a00fe0bc943555891f7430f5b3f1c241566c8a01ece

Download Submit
\Windows\SysWOW64\Adnpkjde.exe

Filesize
85KB

MD5
8a9f8f0d72e7f458fcb22d6491245aec

SHA1
9abc43b0e66d3a9b23fdba42c1f3e9a92b4e4a06

SHA256
ad14bcb3512420c81cc17352f0b65bf5b8ca53305429b90a9a0a98ce5e42e970

SHA512
60f9ec28c322ce441a2ff5622d3d417000665bc48b934ec3d99526df86740f5a1c55cd4c01aa291a2f8ac172e94f633391f64c0113d3e1f780e6521ea1dde66f

Download Submit
\Windows\SysWOW64\Lhknaf32.exe

Filesize
85KB

MD5
8ff4d9553620288180b07ee77372f8c9

SHA1
3e8d26bf1f860f193cc7ea229a6128e876098b5d

SHA256
ef109a3b2c5754974b1d4b6a64ea69beb7e886a4b61eaa28a272843e484d9dd8

SHA512
392a56179eb96dfa8af6292018c9f9ba7a164551a89c9d7b7d59cc0de248f313408f7ed12af1ab5023c07921a163be1628488497797e884cc9af433adaf50113

Download Submit
\Windows\SysWOW64\Mmbmeifk.exe

Filesize
85KB

MD5
9b9df4d97a6bf07d9730f6d2dc11ffa0

SHA1
1fdf57e9d5a06bd7d87e551039cfbf9b1984b558

SHA256
1f3107d12259d8aceb8c714488458e2315407ca10e05b57de9768f83fec5b0a1

SHA512
3bd83549b3e35193caa3d143036ec4985ac6cf3e36a78e0d19ec0de02d57950a8cecdff1fa05fde8a537fd9d0108cb8fa77b5a5034de5d6239c67544b7eaed2f

Download Submit
\Windows\SysWOW64\Mqklqhpg.exe

Filesize
85KB

MD5
6a31cda047cc268cff5af1300a07faf9

SHA1
cda7252826251769c84b51860168a704319d0517

SHA256
c27dab1c638c54ea3e580517e964f1adc0bc3c960c561dca0db916818e835691

SHA512
a7f4d48028cf89138f8eed00471db0e492eef23de42284553deef5da62e66b438da7bea164ca7975199001a378a4cc2b63e040c91e58e6ea5001178697a4598d

Download Submit
\Windows\SysWOW64\Ngealejo.exe

Filesize
85KB

MD5
ef93388ebb968b05c74c0236b6e64f93

SHA1
3c1fe45d9bb783bb6f1aacc27641823c74c0f4fc

SHA256
bebadf88c19ad041f06ded6086f203d26a747de57005231ca4681bb8026e0ac6

SHA512
3d09826acdd81e7566961d8dda1d625eb144bd3abb49f2ed81e25cef8dac4126e4316eb634dcd5849ce2869134bb673db181e1d77609e8ab2c533454079cf98e

Download Submit
\Windows\SysWOW64\Nlnpgd32.exe

Filesize
85KB

MD5
6af84598a6bee65b5b8e1c0c6a4df8a0

SHA1
daf1b46641c8f43ef03f9a98c4ce4d9b0abc09a5

SHA256
9b9b552d2b30f182139487d9ea80c6223df30863c26e112dd73ed80ec332a49e

SHA512
59271feded911c73ac48062e830be2b1cab124c9b8b44bc1faef0ea9674f8cbe9904d4fa3c2149422db42a65e6a7e5e414e0eafb60bab1292a99e52505092f6e

Download Submit
\Windows\SysWOW64\Phlclgfc.exe

Filesize
85KB

MD5
3ae11ac1854656fbe1b75a1541e3f0af

SHA1
99090d4a54ba683603bf500c8e5ef709be447452

SHA256
9ca247a1c02bf75032de25cb9fdf4bd08b5c434333c8b5711cb101b153ba626e

SHA512
0b7a68cefb25cebdd581006fcedfcb4d97559e5323b2c2dafbe0258444a5ebc4cd0c1c50cfa9f811f8e55e5a51501f13e373db6b818373e3e9a8f680e57b2925

Download Submit
\Windows\SysWOW64\Pmkhjncg.exe

Filesize
85KB

MD5
c061e08c3c7b0807370fc1f0b83bbf1f

SHA1
1315b92c0a06a3ce1381e2578bc58c67773780a0

SHA256
0e9bf9bdfb002ee07c92fe17161f6050d35f73aaee5feae1224e15c789dc742d

SHA512
619e237c68b58b15ed8d0ffdaf5bb54778cbaa58cf05e45d2f8e150881e656723edb4b291e03050d15450ee8c386e778fd9baaf3eb017b01e691bfe9f7d3255d

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
85KB

MD5
0a0b10410892a602b213e903808252e9

SHA1
34520fbe0dbf2bb2a80ed704af36da86ac0694e6

SHA256
53256699bdd398fd9cc0fff503bcc67d747e201e96d1471180cb3f602a125f83

SHA512
b2d44371dd4061ba39850c2eaa86e88d8fd3621c8cef2364f527565eaec639e0ed85deb04cddd00f394c3a559da9a284eecd03191e523112a90e8792e2693fa1

Download Submit
memory/380-171-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/380-101-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/380-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/616-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/616-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1148-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1200-121-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1200-205-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1200-191-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1200-131-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1200-128-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1260-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1260-323-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1288-318-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-271-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1288-277-0x0000000001F70000-0x0000000001FB1000-memory.dmp

Filesize
260KB

Download
memory/1296-236-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1296-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-313-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1436-324-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-269-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1580-312-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1580-316-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1580-317-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1580-268-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1740-172-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1740-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1740-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1972-233-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/1972-161-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2068-153-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/2068-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2068-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-270-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2148-217-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2148-218-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2152-266-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2152-267-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2152-192-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-320-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2296-319-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2296-290-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2296-291-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2464-91-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2464-17-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2464-12-0x00000000002E0000-0x0000000000321000-memory.dmp

Filesize
260KB

Download
memory/2464-85-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-322-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2492-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2548-96-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2548-155-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2588-178-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2588-265-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2588-255-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-133-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2668-69-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-55-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2676-48-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2676-41-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2676-127-0x0000000000270000-0x00000000002B1000-memory.dmp

Filesize
260KB

Download
memory/2676-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-61-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2692-130-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-39-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2944-27-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2944-100-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2944-98-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/2944-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3052-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads