860822744ad5be5f53628c6a64dcdecf4cb6537118c6ad629c05c9646cf59ecb

Analysis

max time kernel
115s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b871277cf1b6e63678c8aeaf92d4170N.exe
Size

264KB
MD5

4b871277cf1b6e63678c8aeaf92d4170
SHA1

7ac4bfc249d2c5d4ba18575eb7d67f0db80ce64e
SHA256

860822744ad5be5f53628c6a64dcdecf4cb6537118c6ad629c05c9646cf59ecb
SHA512

9ba6289ba6a2bc4aa76d2172ca66f071c4bcf62b0c67f741c3f8f5a7191ec30109a8dae8992ca72956ca76abc251eccea2173ad1d4b2578d35d33065cec25928
SSDEEP

3072:T4hauSvOt24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFDrFDs:fOCsFj5tPNki9HZd1sFj5tw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kjnanhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Malpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfljmmjl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nlmffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlmffa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Plcied32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4b871277cf1b6e63678c8aeaf92d4170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lomglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Magfjebk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pofomolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mmemoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okkfmmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndjhpcoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oaqeogll.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okkfmmqj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Penjdien.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kjnanhhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Magfjebk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mmemoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aioodg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kqemeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4b871277cf1b6e63678c8aeaf92d4170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Malpee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Plcied32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofomolo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amhopfof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kqemeb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lcffgnnc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndjhpcoe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amhopfof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lomglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Penjdien.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfljmmjl.exe

Executes dropped EXE 23 IoCs

pid	Process
2984	Kqemeb32.exe
2948	Kjnanhhc.exe
2976	Lcffgnnc.exe
2724	Lomglo32.exe
2008	Magfjebk.exe
2680	Malpee32.exe
3064	Mmemoe32.exe
1732	Nlmffa32.exe
2020	Ndjhpcoe.exe
1036	Oaqeogll.exe
3008	Okkfmmqj.exe
1680	Ocihgo32.exe
1044	Plcied32.exe
2208	Penjdien.exe
2212	Pofomolo.exe
884	Qckalamk.exe
2372	Qfljmmjl.exe
1816	Amhopfof.exe
1420	Aioodg32.exe
2120	Agdlfd32.exe
1100	Ajdego32.exe
2344	Bejiehfi.exe
1548	Bmenijcd.exe

Loads dropped DLL 50 IoCs

pid	Process
2780	4b871277cf1b6e63678c8aeaf92d4170N.exe
2780	4b871277cf1b6e63678c8aeaf92d4170N.exe
2984	Kqemeb32.exe
2984	Kqemeb32.exe
2948	Kjnanhhc.exe
2948	Kjnanhhc.exe
2976	Lcffgnnc.exe
2976	Lcffgnnc.exe
2724	Lomglo32.exe
2724	Lomglo32.exe
2008	Magfjebk.exe
2008	Magfjebk.exe
2680	Malpee32.exe
2680	Malpee32.exe
3064	Mmemoe32.exe
3064	Mmemoe32.exe
1732	Nlmffa32.exe
1732	Nlmffa32.exe
2020	Ndjhpcoe.exe
2020	Ndjhpcoe.exe
1036	Oaqeogll.exe
1036	Oaqeogll.exe
3008	Okkfmmqj.exe
3008	Okkfmmqj.exe
1680	Ocihgo32.exe
1680	Ocihgo32.exe
1044	Plcied32.exe
1044	Plcied32.exe
2208	Penjdien.exe
2208	Penjdien.exe
2212	Pofomolo.exe
2212	Pofomolo.exe
884	Qckalamk.exe
884	Qckalamk.exe
2372	Qfljmmjl.exe
2372	Qfljmmjl.exe
1816	Amhopfof.exe
1816	Amhopfof.exe
1420	Aioodg32.exe
1420	Aioodg32.exe
2120	Agdlfd32.exe
2120	Agdlfd32.exe
1100	Ajdego32.exe
1100	Ajdego32.exe
2344	Bejiehfi.exe
2344	Bejiehfi.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe
2640	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjhjon32.dll	Lomglo32.exe
File created	C:\Windows\SysWOW64\Jnlnid32.dll	Kqemeb32.exe
File created	C:\Windows\SysWOW64\Jhenggfi.dll	Magfjebk.exe
File created	C:\Windows\SysWOW64\Nlmffa32.exe	Mmemoe32.exe
File created	C:\Windows\SysWOW64\Okkfmmqj.exe	Oaqeogll.exe
File created	C:\Windows\SysWOW64\Pofomolo.exe	Penjdien.exe
File created	C:\Windows\SysWOW64\Ddgoncih.dll	Pofomolo.exe
File created	C:\Windows\SysWOW64\Ocihgo32.exe	Okkfmmqj.exe
File created	C:\Windows\SysWOW64\Bmenijcd.exe	Bejiehfi.exe
File opened for modification	C:\Windows\SysWOW64\Kjnanhhc.exe	Kqemeb32.exe
File created	C:\Windows\SysWOW64\Magfjebk.exe	Lomglo32.exe
File opened for modification	C:\Windows\SysWOW64\Amhopfof.exe	Qfljmmjl.exe
File created	C:\Windows\SysWOW64\Mikelp32.dll	Qfljmmjl.exe
File created	C:\Windows\SysWOW64\Aioodg32.exe	Amhopfof.exe
File opened for modification	C:\Windows\SysWOW64\Kqemeb32.exe	4b871277cf1b6e63678c8aeaf92d4170N.exe
File opened for modification	C:\Windows\SysWOW64\Lomglo32.exe	Lcffgnnc.exe
File created	C:\Windows\SysWOW64\Malpee32.exe	Magfjebk.exe
File opened for modification	C:\Windows\SysWOW64\Oaqeogll.exe	Ndjhpcoe.exe
File opened for modification	C:\Windows\SysWOW64\Ocihgo32.exe	Okkfmmqj.exe
File created	C:\Windows\SysWOW64\Iifedg32.dll	Okkfmmqj.exe
File created	C:\Windows\SysWOW64\Eecpggap.dll	Plcied32.exe
File created	C:\Windows\SysWOW64\Agdlfd32.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Jichkb32.dll	Aioodg32.exe
File opened for modification	C:\Windows\SysWOW64\Bejiehfi.exe	Ajdego32.exe
File created	C:\Windows\SysWOW64\Kqemeb32.exe	4b871277cf1b6e63678c8aeaf92d4170N.exe
File opened for modification	C:\Windows\SysWOW64\Lcffgnnc.exe	Kjnanhhc.exe
File created	C:\Windows\SysWOW64\Mmemoe32.exe	Malpee32.exe
File opened for modification	C:\Windows\SysWOW64\Plcied32.exe	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Egdljhhj.dll	Penjdien.exe
File created	C:\Windows\SysWOW64\Ajdego32.exe	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Lcffgnnc.exe	Kjnanhhc.exe
File opened for modification	C:\Windows\SysWOW64\Okkfmmqj.exe	Oaqeogll.exe
File opened for modification	C:\Windows\SysWOW64\Pofomolo.exe	Penjdien.exe
File opened for modification	C:\Windows\SysWOW64\Qckalamk.exe	Pofomolo.exe
File created	C:\Windows\SysWOW64\Kjnanhhc.exe	Kqemeb32.exe
File opened for modification	C:\Windows\SysWOW64\Nlmffa32.exe	Mmemoe32.exe
File created	C:\Windows\SysWOW64\Plcied32.exe	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Qckalamk.exe	Pofomolo.exe
File created	C:\Windows\SysWOW64\Apfamf32.dll	Amhopfof.exe
File opened for modification	C:\Windows\SysWOW64\Agdlfd32.exe	Aioodg32.exe
File created	C:\Windows\SysWOW64\Ikaainpb.dll	4b871277cf1b6e63678c8aeaf92d4170N.exe
File created	C:\Windows\SysWOW64\Pgmobakj.dll	Agdlfd32.exe
File created	C:\Windows\SysWOW64\Ndjhpcoe.exe	Nlmffa32.exe
File created	C:\Windows\SysWOW64\Gdbcbcgp.dll	Nlmffa32.exe
File created	C:\Windows\SysWOW64\Nggbjggc.dll	Oaqeogll.exe
File created	C:\Windows\SysWOW64\Penjdien.exe	Plcied32.exe
File opened for modification	C:\Windows\SysWOW64\Qfljmmjl.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Kcjklqhh.dll	Qckalamk.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Bbfijm32.dll	Lcffgnnc.exe
File created	C:\Windows\SysWOW64\Bblkmipo.dll	Malpee32.exe
File created	C:\Windows\SysWOW64\Lomglo32.exe	Lcffgnnc.exe
File opened for modification	C:\Windows\SysWOW64\Aioodg32.exe	Amhopfof.exe
File created	C:\Windows\SysWOW64\Kmggpigb.dll	Kjnanhhc.exe
File opened for modification	C:\Windows\SysWOW64\Magfjebk.exe	Lomglo32.exe
File created	C:\Windows\SysWOW64\Ibjenkae.dll	Ndjhpcoe.exe
File created	C:\Windows\SysWOW64\Qqbhmi32.dll	Ocihgo32.exe
File created	C:\Windows\SysWOW64\Bejiehfi.exe	Ajdego32.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Bejiehfi.exe
File opened for modification	C:\Windows\SysWOW64\Malpee32.exe	Magfjebk.exe
File created	C:\Windows\SysWOW64\Lbbpgc32.dll	Mmemoe32.exe
File opened for modification	C:\Windows\SysWOW64\Ndjhpcoe.exe	Nlmffa32.exe
File created	C:\Windows\SysWOW64\Oaqeogll.exe	Ndjhpcoe.exe
File opened for modification	C:\Windows\SysWOW64\Penjdien.exe	Plcied32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2640	1548	WerFault.exe	52

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Malpee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndjhpcoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhopfof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aioodg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agdlfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kqemeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Magfjebk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oaqeogll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okkfmmqj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Plcied32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdego32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejiehfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4b871277cf1b6e63678c8aeaf92d4170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kjnanhhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlmffa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofomolo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckalamk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfljmmjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lcffgnnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lomglo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mmemoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocihgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Penjdien.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kqemeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhenggfi.dll"	Magfjebk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mmemoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aioodg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqbhmi32.dll"	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecpggap.dll"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbfijm32.dll"	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bblkmipo.dll"	Malpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nlmffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocihgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgoncih.dll"	Pofomolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agdlfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	4b871277cf1b6e63678c8aeaf92d4170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kjnanhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Malpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okkfmmqj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfljmmjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	4b871277cf1b6e63678c8aeaf92d4170N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nlmffa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Plcied32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pofomolo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	4b871277cf1b6e63678c8aeaf92d4170N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lomglo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Magfjebk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oaqeogll.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kjnanhhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbcbcgp.dll"	Nlmffa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll"	Amhopfof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnofaf32.dll"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kqemeb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4b871277cf1b6e63678c8aeaf92d4170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifedg32.dll"	Okkfmmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Plcied32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Malpee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggpigb.dll"	Kjnanhhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amhopfof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjhjon32.dll"	Lomglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okkfmmqj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmobakj.dll"	Agdlfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfljmmjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikelp32.dll"	Qfljmmjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaainpb.dll"	4b871277cf1b6e63678c8aeaf92d4170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lcffgnnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdljhhj.dll"	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Penjdien.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4b871277cf1b6e63678c8aeaf92d4170N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lomglo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mmemoe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ndjhpcoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjklqhh.dll"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aioodg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnlnid32.dll"	Kqemeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjenkae.dll"	Ndjhpcoe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2984	2780	4b871277cf1b6e63678c8aeaf92d4170N.exe	30
PID 2780 wrote to memory of 2984	2780	4b871277cf1b6e63678c8aeaf92d4170N.exe	30
PID 2780 wrote to memory of 2984	2780	4b871277cf1b6e63678c8aeaf92d4170N.exe	30
PID 2780 wrote to memory of 2984	2780	4b871277cf1b6e63678c8aeaf92d4170N.exe	30
PID 2984 wrote to memory of 2948	2984	Kqemeb32.exe	31
PID 2984 wrote to memory of 2948	2984	Kqemeb32.exe	31
PID 2984 wrote to memory of 2948	2984	Kqemeb32.exe	31
PID 2984 wrote to memory of 2948	2984	Kqemeb32.exe	31
PID 2948 wrote to memory of 2976	2948	Kjnanhhc.exe	32
PID 2948 wrote to memory of 2976	2948	Kjnanhhc.exe	32
PID 2948 wrote to memory of 2976	2948	Kjnanhhc.exe	32
PID 2948 wrote to memory of 2976	2948	Kjnanhhc.exe	32
PID 2976 wrote to memory of 2724	2976	Lcffgnnc.exe	33
PID 2976 wrote to memory of 2724	2976	Lcffgnnc.exe	33
PID 2976 wrote to memory of 2724	2976	Lcffgnnc.exe	33
PID 2976 wrote to memory of 2724	2976	Lcffgnnc.exe	33
PID 2724 wrote to memory of 2008	2724	Lomglo32.exe	34
PID 2724 wrote to memory of 2008	2724	Lomglo32.exe	34
PID 2724 wrote to memory of 2008	2724	Lomglo32.exe	34
PID 2724 wrote to memory of 2008	2724	Lomglo32.exe	34
PID 2008 wrote to memory of 2680	2008	Magfjebk.exe	35
PID 2008 wrote to memory of 2680	2008	Magfjebk.exe	35
PID 2008 wrote to memory of 2680	2008	Magfjebk.exe	35
PID 2008 wrote to memory of 2680	2008	Magfjebk.exe	35
PID 2680 wrote to memory of 3064	2680	Malpee32.exe	36
PID 2680 wrote to memory of 3064	2680	Malpee32.exe	36
PID 2680 wrote to memory of 3064	2680	Malpee32.exe	36
PID 2680 wrote to memory of 3064	2680	Malpee32.exe	36
PID 3064 wrote to memory of 1732	3064	Mmemoe32.exe	37
PID 3064 wrote to memory of 1732	3064	Mmemoe32.exe	37
PID 3064 wrote to memory of 1732	3064	Mmemoe32.exe	37
PID 3064 wrote to memory of 1732	3064	Mmemoe32.exe	37
PID 1732 wrote to memory of 2020	1732	Nlmffa32.exe	38
PID 1732 wrote to memory of 2020	1732	Nlmffa32.exe	38
PID 1732 wrote to memory of 2020	1732	Nlmffa32.exe	38
PID 1732 wrote to memory of 2020	1732	Nlmffa32.exe	38
PID 2020 wrote to memory of 1036	2020	Ndjhpcoe.exe	39
PID 2020 wrote to memory of 1036	2020	Ndjhpcoe.exe	39
PID 2020 wrote to memory of 1036	2020	Ndjhpcoe.exe	39
PID 2020 wrote to memory of 1036	2020	Ndjhpcoe.exe	39
PID 1036 wrote to memory of 3008	1036	Oaqeogll.exe	40
PID 1036 wrote to memory of 3008	1036	Oaqeogll.exe	40
PID 1036 wrote to memory of 3008	1036	Oaqeogll.exe	40
PID 1036 wrote to memory of 3008	1036	Oaqeogll.exe	40
PID 3008 wrote to memory of 1680	3008	Okkfmmqj.exe	41
PID 3008 wrote to memory of 1680	3008	Okkfmmqj.exe	41
PID 3008 wrote to memory of 1680	3008	Okkfmmqj.exe	41
PID 3008 wrote to memory of 1680	3008	Okkfmmqj.exe	41
PID 1680 wrote to memory of 1044	1680	Ocihgo32.exe	42
PID 1680 wrote to memory of 1044	1680	Ocihgo32.exe	42
PID 1680 wrote to memory of 1044	1680	Ocihgo32.exe	42
PID 1680 wrote to memory of 1044	1680	Ocihgo32.exe	42
PID 1044 wrote to memory of 2208	1044	Plcied32.exe	43
PID 1044 wrote to memory of 2208	1044	Plcied32.exe	43
PID 1044 wrote to memory of 2208	1044	Plcied32.exe	43
PID 1044 wrote to memory of 2208	1044	Plcied32.exe	43
PID 2208 wrote to memory of 2212	2208	Penjdien.exe	44
PID 2208 wrote to memory of 2212	2208	Penjdien.exe	44
PID 2208 wrote to memory of 2212	2208	Penjdien.exe	44
PID 2208 wrote to memory of 2212	2208	Penjdien.exe	44
PID 2212 wrote to memory of 884	2212	Pofomolo.exe	45
PID 2212 wrote to memory of 884	2212	Pofomolo.exe	45
PID 2212 wrote to memory of 884	2212	Pofomolo.exe	45
PID 2212 wrote to memory of 884	2212	Pofomolo.exe	45

C:\Users\Admin\AppData\Local\Temp\4b871277cf1b6e63678c8aeaf92d4170N.exe
"C:\Users\Admin\AppData\Local\Temp\4b871277cf1b6e63678c8aeaf92d4170N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\SysWOW64\Kqemeb32.exe
  C:\Windows\system32\Kqemeb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\Kjnanhhc.exe
    C:\Windows\system32\Kjnanhhc.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\Lcffgnnc.exe
      C:\Windows\system32\Lcffgnnc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Windows\SysWOW64\Lomglo32.exe
        
        C:\Windows\system32\Lomglo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\SysWOW64\Magfjebk.exe
        
        C:\Windows\system32\Magfjebk.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Malpee32.exe
        
        C:\Windows\system32\Malpee32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\SysWOW64\Mmemoe32.exe
        
        C:\Windows\system32\Mmemoe32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\SysWOW64\Nlmffa32.exe
        
        C:\Windows\system32\Nlmffa32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1732
        
        C:\Windows\SysWOW64\Ndjhpcoe.exe
        
        C:\Windows\system32\Ndjhpcoe.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Oaqeogll.exe
        
        C:\Windows\system32\Oaqeogll.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\Okkfmmqj.exe
        
        C:\Windows\system32\Okkfmmqj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Ocihgo32.exe
        
        C:\Windows\system32\Ocihgo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\Plcied32.exe
        
        C:\Windows\system32\Plcied32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\SysWOW64\Penjdien.exe
        
        C:\Windows\system32\Penjdien.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Pofomolo.exe
        
        C:\Windows\system32\Pofomolo.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\SysWOW64\Qckalamk.exe
        
        C:\Windows\system32\Qckalamk.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\Qfljmmjl.exe
        
        C:\Windows\system32\Qfljmmjl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Amhopfof.exe
        
        C:\Windows\system32\Amhopfof.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1816
        
        C:\Windows\SysWOW64\Aioodg32.exe
        
        C:\Windows\system32\Aioodg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Agdlfd32.exe
        
        C:\Windows\system32\Agdlfd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Ajdego32.exe
        
        C:\Windows\system32\Ajdego32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Bejiehfi.exe
        
        C:\Windows\system32\Bejiehfi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 140
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Agdlfd32.exe

Filesize
264KB

MD5
d71e8fffd061e35e0bf250ac048f18a5

SHA1
e266fdabd4f63f2b538462ff5c3c992189c7e595

SHA256
487b6deacbd8151c7568d5c4463b1cf0b713f3dcc1f022a89eb63bcae40fee33

SHA512
496a87f64c639144f9489f150faeb560225ff7eff1b78d67631b657ca277ffe072f3871cd7326920d3dd30a4b37f0078a4e777af196a8a2a744878f5b8410065

Download Submit
C:\Windows\SysWOW64\Aioodg32.exe

Filesize
264KB

MD5
62cf070147ed720e5590bc05ebd7ac07

SHA1
52d78a44d1c5e1711591dfdbf21d8b03d0879330

SHA256
32dd78ff79bf943e77d4c41f7e5cd99861c0c87636947990d713cc4257bfaa84

SHA512
88a6a9bffd97eae86a94ab1fa31a09e3fb2b0ba77e00b8b9c80e831530264ae12625d5281aa83fd820a5c1a14c5989c9a7156a64cf553e94b148661d6c6f94f8

Download Submit
C:\Windows\SysWOW64\Ajdego32.exe

Filesize
264KB

MD5
6f4276e4ba7c78f57a58d6a05f1fa989

SHA1
f6fcbc3113c5c5646a353328240691c8395df6bd

SHA256
597c5b7b131ccde945937eb256fc53a14af0cf3c3a62e6f3a75bc7e8158cef7a

SHA512
f02e052d6830a72c840c05ee82f7127748d67dbd154722bdac893e790561976a39cb37da68ffe2d199e35a3d38a990657afe8b6c24bb0c1d13de49eb73cba067

Download Submit
C:\Windows\SysWOW64\Amhopfof.exe

Filesize
264KB

MD5
035d1e8f6222fa81c2e1ac9bfcfaff1f

SHA1
2f324883c81f746614455157d9e02458359a7d31

SHA256
8a2a2c59fa16175461b1715459679ecfe7d8c71448b245431376c44acdb699d2

SHA512
401294d4276f06c387af45e9f0a02e6c290f5cfaa96fd513824331eaffe8f57f9b13d7dbbe86d24c89dc35819f05fb4b2bd9b420715f73c530f0b4b474c646f7

Download Submit
C:\Windows\SysWOW64\Bejiehfi.exe

Filesize
264KB

MD5
0dad1b8410f18c597b36a1b4abe08f87

SHA1
9de84fe83ca6471f822bcbf37efaa0e4342c00f2

SHA256
b1cec48a03ff4ec89c1971bb387e1a9277a4c61331bd3abad9568ab9a1084334

SHA512
f58d30b8f6280e910dedeb7872906efa7ea30389942c639469c8aba3893481b62924cb7bfb3c2fbdf61b4fc6a05dfd0c58796b2c6c636478fb5bf84c4868ee75

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
264KB

MD5
a9f16bf327651f2229e7f36f791a9aa7

SHA1
b3078d879008a4ecea1cee12c6f6d72b9dd83d2e

SHA256
3ae20990a9740e6cad5aeff2a176c212d2832dd9afe853a829a65cfd41f3e44f

SHA512
e610dd2828acae5e516ac51255f0332ee27e1ca173c1f8ca760e407b8c13189bc35cf76d408c8275c743c079f697e624181fb80c1ef7b4945794bbcec06d4368

Download Submit
C:\Windows\SysWOW64\Oaqeogll.exe

Filesize
264KB

MD5
93e11221e68aa2e21f8d677e3efeec6c

SHA1
4d3492b90434c81796626b025dee3769cf335b22

SHA256
ca1d6342b3c1af3abffc3cc31ce91922dfc5ff08fbb69f128b5b44fa09615dbf

SHA512
6a8cfeada7396a67ddaa3df1969223f1ebdd17dbe5dc4418e84ec7b66b76bc50e3b59d1502fa8d16d613f69f7bd4f39658f24ecff4696d8e38419f3c3897dbfd

Download Submit
C:\Windows\SysWOW64\Qfljmmjl.exe

Filesize
264KB

MD5
1b90dd22e781917307680b6a5926c1f9

SHA1
de1cdc100a27063d47f6326a3e5329b2ca63f164

SHA256
dce4d5ea2ed0298e495f10b66487b24b1fa0dd72f764dbb291c224cbec68aa53

SHA512
7ffc76ddae0d08eb7125b2283c3a17c6364ed653ff2fc1d480099fddc92dcd616222546d7e10252eb36ec8864216bdf8aad69a7c0a8adcaac12dbfc0b9ce1b68

Download Submit
\Windows\SysWOW64\Kjnanhhc.exe

Filesize
264KB

MD5
7cd26b8efd26f89f30d2573a18e02ad4

SHA1
76606ed8dcf7e85c54595dc34b207a7621861aaa

SHA256
fbdf24425502af08a7bd3559b0ab9aebe73e43fe873eba7e462f7a84fc5b87eb

SHA512
b4b93656b2b3f8e922425f5dd9a538b508b2389b86cc3b6d3ef58b0f9ecf34ca6abfef569ce050d85dab7dc715deb0431dc99fcc3752460bc34f7e5cdd420626

Download Submit
\Windows\SysWOW64\Kqemeb32.exe

Filesize
264KB

MD5
a5aee595669e8d620d9a416c75222be1

SHA1
556db717910f451a68d5872e59fe788e5d8e0b32

SHA256
848ae1f23635da99041057f7a6340f83c5dcafe108cb3fd8423a6c8b5bf1c745

SHA512
38cb26767352be4753e772b8fc7fad4aea9ff42d75c19508919585dd0ebbaaa0cf60859aeb4f13f56189badff3eb3f2b85ae8b80818a3a60f5fdfa2a185a3505

Download Submit
\Windows\SysWOW64\Lcffgnnc.exe

Filesize
264KB

MD5
65f1d5826f3a437e0b8dae5692b4db94

SHA1
fc01c4a7eb17b5a58e63be977399f2fcb9a91fce

SHA256
7132b1a0d55189802214da084dda01634f81ebfc355e1dbb1f63941c02a18de8

SHA512
674fa55a54e90891ac78cd96cb9a5dfa79e7bbe6967495df0595c591d1d71314e9e7023467c645f7e3cee2159323d17e94b8dff515c4d3383843587fd827035a

Download Submit
\Windows\SysWOW64\Lomglo32.exe

Filesize
264KB

MD5
e19f765a719bb72be3d22080be01289a

SHA1
d1cf66ab64af2cfc55bdeb9e6305c9dbde2b4160

SHA256
f016e1c527314a3b2d9d43d2cde874e0ec5f5bee252d05df76a504deb947c424

SHA512
a3feb793bd0f6098915ddc565d2e2dae489fe9659b4cce1b54baaebf692f41ad4af730abaad0c5c7b591b325643587e625407e9ef48934a57734354408f9abc6

Download Submit
\Windows\SysWOW64\Magfjebk.exe

Filesize
264KB

MD5
111e60da2c38e0746ee036d5ea1e1e37

SHA1
1aa8510cbfe4382181be2172c18e943f875e8be9

SHA256
d81125fcd24994b64207df2e0b968976db23807381d0ac3c6f49c423dfcda5ec

SHA512
cf73acc55d8a5e6a9b6eec8485e3e6cfb566d21c6d0f1fe8d012c29ef61657f4d28d27d02996b375c85795d27658808496aaca09cf33d48710bf361d3444fdef

Download Submit
\Windows\SysWOW64\Malpee32.exe

Filesize
264KB

MD5
4ddadc5bfe4e958851feee4710ad15b1

SHA1
64331b397bf99751bb7c46e935c478ade1407e6e

SHA256
ddeb2cc89b5ac145ee545511340311f567417166a7f20bde43e789afc56ac38b

SHA512
88394ba83ad6e7fac53a6d22e9a388e7b82b2a9fb256b44522075b220345059a64bf76589a9d4f8fe82806e23da76a569bdb879fb39fa52c8c1d518ea751c539

Download Submit
\Windows\SysWOW64\Mmemoe32.exe

Filesize
264KB

MD5
12d27215f766387bc3551f6cc21ec0db

SHA1
a2a25c130ffebee983e3bf7055558eeaed203266

SHA256
549c7fada37b26f6ae788a1dd9cb9f88c045f1f47cd9ea969a3d5609ed70aef6

SHA512
ee9f862fe9439a1e900b7c543eb0bf54217902cbf45e5114ffc7abd81b23c420f87b022f16293dea9990d2b4a9a3940353d6a52c80cde86ecf6708e92ed0351c

Download Submit
\Windows\SysWOW64\Ndjhpcoe.exe

Filesize
264KB

MD5
088ed21d3676df2280c875be6b4f194f

SHA1
5fc26b405726311d99fc6078d37fa9da84e04de2

SHA256
30c8b2f0b1979e1984589d1257fe0bec2c16f6f0765914dd55f62b48ee03afb7

SHA512
533527f87698799891ac8892af44cc252f3c81ff113952dd1b8143e70462d86be940103c480acd713a9174cd624c2efcd96d0798d8a4836e3413d0fdf6ef8153

Download Submit
\Windows\SysWOW64\Nlmffa32.exe

Filesize
264KB

MD5
e2835b96101728536ae06aa032c4a7d7

SHA1
c5703d3afe130abb0b9c8d21511d8173b8491785

SHA256
30198e7b5321e5194385d34bf52884c215e2b4ac005b1cfe8b320327e14a5bdf

SHA512
49ab9f3702f53f35d5f8d0423fc3ca22d7440c720f4aa6db1b0adaeb7c916361d5c46f60333464abdf43c9f0a0b5223f827245cef71f8eb0c8a2f51ce964ad0b

Download Submit
\Windows\SysWOW64\Ocihgo32.exe

Filesize
264KB

MD5
c52ec8aa559a67d091a68a1b4120e305

SHA1
a4424d3348832bd8f0e1c6afb090fbd542938020

SHA256
79dc9948dd02ea0efc8bb6eae56842666ee75bfea9f5defc15aa98993190823c

SHA512
c953c33718950689dd8d5ebf9a067afaee6d8548729cd88d4a7f0437486375d307efb941a89e99d781f00b5280accf676eb1ea85d56d740e6a53884473f2f44d

Download Submit
\Windows\SysWOW64\Okkfmmqj.exe

Filesize
264KB

MD5
e89e8c157ce1d85d27c5d5ce1eb2086b

SHA1
c5548e4b0d726a7f7cfd1150503bf86255998282

SHA256
8ef80377a27bcd44b9fe2672f85082f847856197014cdbfbdef7d34ce2f20a43

SHA512
a62a617bfb1551c6cd857b58626820104f54da9f1b0f8da0486e5237489e4dd89bcd221eaf4a4fb1336bcb6ec26de3b9997e753369e5d681464fef35fb971f8f

Download Submit
\Windows\SysWOW64\Penjdien.exe

Filesize
264KB

MD5
aee2cffa1dfceb3616e8621ab896b730

SHA1
8cefd20d1524178d09210c74e8722b7aec49a079

SHA256
b49e92988564560a062799b68a8a5b0a270d4abdca40f399e304f0b6e1c72c5b

SHA512
01d9e6162f716b335db19e22dd05790fe8aae1ec060807ff3ab98d18a89300e620b985f9e919bfa360303233716252d8cc9cfe821940d74484f8fae41acab92b

Download Submit
\Windows\SysWOW64\Plcied32.exe

Filesize
264KB

MD5
df08ff02b28ea1c1a1b1c24e2324d528

SHA1
9cf081f5111415076a13291c791dc8e2e1d2deb6

SHA256
2b1b5068bd8e8101e0394409d7d9a52354f853a0594b409ea02165a5d1d0f7ff

SHA512
f000eea99363fce5441e0dc26b81ce57793a6e0db55dd3ba59c42c341bd06b3ccd220fd2f7c52cf103aaef5f6d9e15d7a3b651ca3f86abf14dd683a0c97d56ee

Download Submit
\Windows\SysWOW64\Pofomolo.exe

Filesize
264KB

MD5
6f07cf756512f3b60740505ba6df37c2

SHA1
5fd7c5e437053a71a8530b537e28a6bb2a8aff1f

SHA256
ee989ab3cb146993bc8ef84b0e5f40e72baf4094dc2b314313851f35aaefa61b

SHA512
897fbbf4eeed1a672579e5cd6b81bd534ae41dcb8f25f5f5cb87dc830966bca29b85f97c56306050b26fcc20e3cf2ba258c04f9871ff664f3b40d6a46f82e5e1

Download Submit
\Windows\SysWOW64\Qckalamk.exe

Filesize
264KB

MD5
f4d8ba8e3b74c3a836915a1d9fba5b97

SHA1
87fccdf15a9491421fd2a64315fbae6a997057a4

SHA256
54a9c726a44df097bfa3cef35c1d72ef470fbe1955c3a6e61b2a1531221236c2

SHA512
0a4cea72ac1c65e699c183c9a6fe241865c18a9d3cafb98861a02441b68c5810c7513adc4035d6482c0cdaba8dfea97238bdb0cbf37dafccee6d76948088e4db

Download Submit
memory/884-228-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/884-302-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1036-147-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1036-296-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1044-189-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1044-299-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-307-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-272-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1420-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1420-254-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/1548-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-309-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1680-177-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1680-298-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1732-124-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1732-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-245-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/1816-239-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1816-304-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2008-84-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/2008-291-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-134-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2020-295-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-263-0x00000000003D0000-0x00000000003FF000-memory.dmp

Filesize
188KB

Download
memory/2120-306-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-192-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2208-300-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-301-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2212-213-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2212-205-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-308-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-284-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2372-235-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2372-229-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-303-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-97-0x00000000003B0000-0x00000000003DF000-memory.dmp

Filesize
188KB

Download
memory/2680-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2680-292-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-349-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2724-290-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-341-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2724-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2724-69-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2724-68-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2780-11-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2780-12-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2780-310-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2780-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2780-286-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2948-46-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2948-335-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2976-337-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2976-55-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2976-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-336-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/2984-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2984-32-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download
memory/2984-287-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-160-0x00000000002B0000-0x00000000002DF000-memory.dmp

Filesize
188KB

Download
memory/3008-297-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-99-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3064-107-0x0000000000220000-0x000000000024F000-memory.dmp

Filesize
188KB

Download
memory/3064-293-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads