a03f10bc5a7a1c4260a1be8e886b4a9e15dc255afd9a0d0f41ff9c252ad155a4

Analysis

max time kernel
32s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea45c1384420b2ff9f7edffb17402640N.exe
Size

366KB
MD5

ea45c1384420b2ff9f7edffb17402640
SHA1

56e2f14f54052a7f3943378f9ab23ad7c0593145
SHA256

a03f10bc5a7a1c4260a1be8e886b4a9e15dc255afd9a0d0f41ff9c252ad155a4
SHA512

f94b3cdbd61ce00798e27d6747f5f4a927156b85e8a6cc391dca6b9fd1fd58dd2fb502f1f685e82570d53629d4673fd5a4a7f2953e08384c4971e5e22b687d4a
SSDEEP

3072:IeSEoKimmmL46K24u+5GURlSjgjxxt8vgHq/Wp+YmKfxg:HSEo72O24u+5LRlUivKvUmKy

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pihgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aniimjbo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ea45c1384420b2ff9f7edffb17402640N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Annbhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjbcfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baadng32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qeohnd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqeicede.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aganeoip.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ea45c1384420b2ff9f7edffb17402640N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhajdblk.exe

Executes dropped EXE 26 IoCs

pid	Process
2912	Pjpnbg32.exe
2896	Pjbjhgde.exe
2708	Pihgic32.exe
2648	Qeohnd32.exe
2984	Qqeicede.exe
868	Aniimjbo.exe
2860	Aganeoip.exe
2156	Achojp32.exe
1560	Annbhi32.exe
1952	Amcpie32.exe
1120	Afkdakjb.exe
1848	Bmhideol.exe
2432	Bbdallnd.exe
2216	Bhajdblk.exe
1488	Bnkbam32.exe
2464	Biafnecn.exe
2224	Bjbcfn32.exe
1780	Behgcf32.exe
2484	Blaopqpo.exe
700	Bmclhi32.exe
2512	Bdmddc32.exe
2368	Bkglameg.exe
2080	Baadng32.exe
1960	Cfnmfn32.exe
1588	Cmgechbh.exe
2824	Cacacg32.exe

Loads dropped DLL 56 IoCs

pid	Process
2720	ea45c1384420b2ff9f7edffb17402640N.exe
2720	ea45c1384420b2ff9f7edffb17402640N.exe
2912	Pjpnbg32.exe
2912	Pjpnbg32.exe
2896	Pjbjhgde.exe
2896	Pjbjhgde.exe
2708	Pihgic32.exe
2708	Pihgic32.exe
2648	Qeohnd32.exe
2648	Qeohnd32.exe
2984	Qqeicede.exe
2984	Qqeicede.exe
868	Aniimjbo.exe
868	Aniimjbo.exe
2860	Aganeoip.exe
2860	Aganeoip.exe
2156	Achojp32.exe
2156	Achojp32.exe
1560	Annbhi32.exe
1560	Annbhi32.exe
1952	Amcpie32.exe
1952	Amcpie32.exe
1120	Afkdakjb.exe
1120	Afkdakjb.exe
1848	Bmhideol.exe
1848	Bmhideol.exe
2432	Bbdallnd.exe
2432	Bbdallnd.exe
2216	Bhajdblk.exe
2216	Bhajdblk.exe
1488	Bnkbam32.exe
1488	Bnkbam32.exe
2464	Biafnecn.exe
2464	Biafnecn.exe
2224	Bjbcfn32.exe
2224	Bjbcfn32.exe
1780	Behgcf32.exe
1780	Behgcf32.exe
2484	Blaopqpo.exe
2484	Blaopqpo.exe
700	Bmclhi32.exe
700	Bmclhi32.exe
2512	Bdmddc32.exe
2512	Bdmddc32.exe
2368	Bkglameg.exe
2368	Bkglameg.exe
2080	Baadng32.exe
2080	Baadng32.exe
1960	Cfnmfn32.exe
1960	Cfnmfn32.exe
1588	Cmgechbh.exe
1588	Cmgechbh.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe
2852	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Pjpnbg32.exe	ea45c1384420b2ff9f7edffb17402640N.exe
File created	C:\Windows\SysWOW64\Gdplpd32.dll	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Achojp32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Behgcf32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Cfgheegc.dll	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Achojp32.exe	Aganeoip.exe
File created	C:\Windows\SysWOW64\Bnkbam32.exe	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Hepiihgc.dll	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Qqeicede.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Aniimjbo.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Aniimjbo.exe	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Aganeoip.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Hqlhpf32.dll	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File created	C:\Windows\SysWOW64\Jmogdj32.dll	Qqeicede.exe
File opened for modification	C:\Windows\SysWOW64\Amcpie32.exe	Annbhi32.exe
File created	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bnkbam32.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Blaopqpo.exe
File opened for modification	C:\Windows\SysWOW64\Pjbjhgde.exe	Pjpnbg32.exe
File opened for modification	C:\Windows\SysWOW64\Qeohnd32.exe	Pihgic32.exe
File opened for modification	C:\Windows\SysWOW64\Bhajdblk.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Baadng32.exe	Bkglameg.exe
File created	C:\Windows\SysWOW64\Aganeoip.exe	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Lmpanl32.dll	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Cifmcd32.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Dhnook32.dll	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Jbdipkfe.dll	Achojp32.exe
File created	C:\Windows\SysWOW64\Oilpcd32.dll	Annbhi32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Pjbjhgde.exe	Pjpnbg32.exe
File created	C:\Windows\SysWOW64\Hbcicn32.dll	Aniimjbo.exe
File created	C:\Windows\SysWOW64\Blaopqpo.exe	Behgcf32.exe
File opened for modification	C:\Windows\SysWOW64\Qqeicede.exe	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Imjcfnhk.dll	Qeohnd32.exe
File created	C:\Windows\SysWOW64\Pihgic32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Qeohnd32.exe	Pihgic32.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File opened for modification	C:\Windows\SysWOW64\Pihgic32.exe	Pjbjhgde.exe
File created	C:\Windows\SysWOW64\Annbhi32.exe	Achojp32.exe
File opened for modification	C:\Windows\SysWOW64\Annbhi32.exe	Achojp32.exe
File created	C:\Windows\SysWOW64\Bmhideol.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Bmhideol.exe
File opened for modification	C:\Windows\SysWOW64\Bjbcfn32.exe	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cmgechbh.exe
File created	C:\Windows\SysWOW64\Nodmbemj.dll	Bhajdblk.exe
File created	C:\Windows\SysWOW64\Behgcf32.exe	Bjbcfn32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Ljacemio.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File created	C:\Windows\SysWOW64\Aalpaf32.dll	ea45c1384420b2ff9f7edffb17402640N.exe
File opened for modification	C:\Windows\SysWOW64\Bmhideol.exe	Afkdakjb.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgechbh.exe	Cfnmfn32.exe
File opened for modification	C:\Windows\SysWOW64\Afkdakjb.exe	Amcpie32.exe

Program crash 1 IoCs

pid	pid_target	Process
2852	2824	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhideol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhajdblk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Behgcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pihgic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aniimjbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afkdakjb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Achojp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amcpie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqeicede.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjbcfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgechbh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfnmfn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qeohnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkbam32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaopqpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea45c1384420b2ff9f7edffb17402640N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjpnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aganeoip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbjhgde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Annbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baadng32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pjbjhgde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjcfnhk.dll"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfnmfn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnkbam32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ea45c1384420b2ff9f7edffb17402640N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmhideol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Achojp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Momeefin.dll"	Bmhideol.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hepiihgc.dll"	Pjbjhgde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Blaopqpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qeohnd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afkdakjb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdipkfe.dll"	Achojp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oilpcd32.dll"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cifmcd32.dll"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ea45c1384420b2ff9f7edffb17402640N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aganeoip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlmd32.dll"	Amcpie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhajdblk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljacemio.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnnffg32.dll"	Cfnmfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mabanhgg.dll"	Baadng32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ea45c1384420b2ff9f7edffb17402640N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ea45c1384420b2ff9f7edffb17402640N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkbam32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Behgcf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afkdakjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodmbemj.dll"	Bhajdblk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgechbh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aalpaf32.dll"	ea45c1384420b2ff9f7edffb17402640N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdplpd32.dll"	Pjpnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioojl32.dll"	Pihgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmogdj32.dll"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ea45c1384420b2ff9f7edffb17402640N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqeicede.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Annbhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjbcfn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Blaopqpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aniimjbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aniimjbo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2720 wrote to memory of 2912	2720	ea45c1384420b2ff9f7edffb17402640N.exe	30
PID 2720 wrote to memory of 2912	2720	ea45c1384420b2ff9f7edffb17402640N.exe	30
PID 2720 wrote to memory of 2912	2720	ea45c1384420b2ff9f7edffb17402640N.exe	30
PID 2720 wrote to memory of 2912	2720	ea45c1384420b2ff9f7edffb17402640N.exe	30
PID 2912 wrote to memory of 2896	2912	Pjpnbg32.exe	31
PID 2912 wrote to memory of 2896	2912	Pjpnbg32.exe	31
PID 2912 wrote to memory of 2896	2912	Pjpnbg32.exe	31
PID 2912 wrote to memory of 2896	2912	Pjpnbg32.exe	31
PID 2896 wrote to memory of 2708	2896	Pjbjhgde.exe	32
PID 2896 wrote to memory of 2708	2896	Pjbjhgde.exe	32
PID 2896 wrote to memory of 2708	2896	Pjbjhgde.exe	32
PID 2896 wrote to memory of 2708	2896	Pjbjhgde.exe	32
PID 2708 wrote to memory of 2648	2708	Pihgic32.exe	33
PID 2708 wrote to memory of 2648	2708	Pihgic32.exe	33
PID 2708 wrote to memory of 2648	2708	Pihgic32.exe	33
PID 2708 wrote to memory of 2648	2708	Pihgic32.exe	33
PID 2648 wrote to memory of 2984	2648	Qeohnd32.exe	34
PID 2648 wrote to memory of 2984	2648	Qeohnd32.exe	34
PID 2648 wrote to memory of 2984	2648	Qeohnd32.exe	34
PID 2648 wrote to memory of 2984	2648	Qeohnd32.exe	34
PID 2984 wrote to memory of 868	2984	Qqeicede.exe	35
PID 2984 wrote to memory of 868	2984	Qqeicede.exe	35
PID 2984 wrote to memory of 868	2984	Qqeicede.exe	35
PID 2984 wrote to memory of 868	2984	Qqeicede.exe	35
PID 868 wrote to memory of 2860	868	Aniimjbo.exe	36
PID 868 wrote to memory of 2860	868	Aniimjbo.exe	36
PID 868 wrote to memory of 2860	868	Aniimjbo.exe	36
PID 868 wrote to memory of 2860	868	Aniimjbo.exe	36
PID 2860 wrote to memory of 2156	2860	Aganeoip.exe	37
PID 2860 wrote to memory of 2156	2860	Aganeoip.exe	37
PID 2860 wrote to memory of 2156	2860	Aganeoip.exe	37
PID 2860 wrote to memory of 2156	2860	Aganeoip.exe	37
PID 2156 wrote to memory of 1560	2156	Achojp32.exe	38
PID 2156 wrote to memory of 1560	2156	Achojp32.exe	38
PID 2156 wrote to memory of 1560	2156	Achojp32.exe	38
PID 2156 wrote to memory of 1560	2156	Achojp32.exe	38
PID 1560 wrote to memory of 1952	1560	Annbhi32.exe	39
PID 1560 wrote to memory of 1952	1560	Annbhi32.exe	39
PID 1560 wrote to memory of 1952	1560	Annbhi32.exe	39
PID 1560 wrote to memory of 1952	1560	Annbhi32.exe	39
PID 1952 wrote to memory of 1120	1952	Amcpie32.exe	40
PID 1952 wrote to memory of 1120	1952	Amcpie32.exe	40
PID 1952 wrote to memory of 1120	1952	Amcpie32.exe	40
PID 1952 wrote to memory of 1120	1952	Amcpie32.exe	40
PID 1120 wrote to memory of 1848	1120	Afkdakjb.exe	41
PID 1120 wrote to memory of 1848	1120	Afkdakjb.exe	41
PID 1120 wrote to memory of 1848	1120	Afkdakjb.exe	41
PID 1120 wrote to memory of 1848	1120	Afkdakjb.exe	41
PID 1848 wrote to memory of 2432	1848	Bmhideol.exe	42
PID 1848 wrote to memory of 2432	1848	Bmhideol.exe	42
PID 1848 wrote to memory of 2432	1848	Bmhideol.exe	42
PID 1848 wrote to memory of 2432	1848	Bmhideol.exe	42
PID 2432 wrote to memory of 2216	2432	Bbdallnd.exe	43
PID 2432 wrote to memory of 2216	2432	Bbdallnd.exe	43
PID 2432 wrote to memory of 2216	2432	Bbdallnd.exe	43
PID 2432 wrote to memory of 2216	2432	Bbdallnd.exe	43
PID 2216 wrote to memory of 1488	2216	Bhajdblk.exe	44
PID 2216 wrote to memory of 1488	2216	Bhajdblk.exe	44
PID 2216 wrote to memory of 1488	2216	Bhajdblk.exe	44
PID 2216 wrote to memory of 1488	2216	Bhajdblk.exe	44
PID 1488 wrote to memory of 2464	1488	Bnkbam32.exe	45
PID 1488 wrote to memory of 2464	1488	Bnkbam32.exe	45
PID 1488 wrote to memory of 2464	1488	Bnkbam32.exe	45
PID 1488 wrote to memory of 2464	1488	Bnkbam32.exe	45

C:\Users\Admin\AppData\Local\Temp\ea45c1384420b2ff9f7edffb17402640N.exe
"C:\Users\Admin\AppData\Local\Temp\ea45c1384420b2ff9f7edffb17402640N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\Pjpnbg32.exe
  C:\Windows\system32\Pjpnbg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\Pjbjhgde.exe
    C:\Windows\system32\Pjbjhgde.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\Pihgic32.exe
      C:\Windows\system32\Pihgic32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\SysWOW64\Qeohnd32.exe
        
        C:\Windows\system32\Qeohnd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\SysWOW64\Qqeicede.exe
        
        C:\Windows\system32\Qqeicede.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Aniimjbo.exe
        
        C:\Windows\system32\Aniimjbo.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\SysWOW64\Aganeoip.exe
        
        C:\Windows\system32\Aganeoip.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Achojp32.exe
        
        C:\Windows\system32\Achojp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\SysWOW64\Annbhi32.exe
        
        C:\Windows\system32\Annbhi32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Amcpie32.exe
        
        C:\Windows\system32\Amcpie32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Afkdakjb.exe
        
        C:\Windows\system32\Afkdakjb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Bmhideol.exe
        
        C:\Windows\system32\Bmhideol.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Bhajdblk.exe
        
        C:\Windows\system32\Bhajdblk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Bnkbam32.exe
        
        C:\Windows\system32\Bnkbam32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bjbcfn32.exe
        
        C:\Windows\system32\Bjbcfn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Behgcf32.exe
        
        C:\Windows\system32\Behgcf32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Blaopqpo.exe
        
        C:\Windows\system32\Blaopqpo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2512
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Baadng32.exe
        
        C:\Windows\system32\Baadng32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2080
        
        C:\Windows\SysWOW64\Cfnmfn32.exe
        
        C:\Windows\system32\Cfnmfn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cmgechbh.exe
        
        C:\Windows\system32\Cmgechbh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Afkdakjb.exe

Filesize
366KB

MD5
46defd715b59b166e16650e5d9e588f7

SHA1
e2add788e652a99df15d0539e89a8dba8d32870e

SHA256
0f339b04488e7949933019bbf11eaa65f5efbbc398e4f2dbb28217f967324e40

SHA512
86d001371c5530b44d9a26098442a235d3a110fa01c68d048688b06d7bdfb3372cedd4c538442a578796789eecd4187b30f070fdfccb560ba5123d39915bdf9e

Download Submit
C:\Windows\SysWOW64\Aganeoip.exe

Filesize
366KB

MD5
e1ed57a04d044ffcb6c1a65362ff776b

SHA1
16bdfe321994650637d84a7a675c5fd4e879434e

SHA256
aa8cab0a206e54bd139f3cec134618ba0ad07e12a15108db5bff7b87e3cf85a1

SHA512
2033d885380051b9c278d55c789cd45491e1b6e6dd2f52492164335496106d225dec8f6cc05f07db493e6e39d2570ca8e09212c22f46932092f1fedb39e7718e

Download Submit
C:\Windows\SysWOW64\Baadng32.exe

Filesize
366KB

MD5
db74d42abcec3a4e4552a7bc69557113

SHA1
cbca63c38a7d36feb221a3f46ba5cc15c96ecc2e

SHA256
3b2694b489c7727a4f344540b434c27f8c7738ed37da2dc8689d24e83ba34e86

SHA512
d3e7b2fa6023e528c2b82b3acbcbb17c01e2ab493e90fd8ec7123260c0e2d11292c52a6502a795606dee837dfd0cf0914eda4233f21add8fbdf0c0dc6c79a0d5

Download Submit
C:\Windows\SysWOW64\Bbdallnd.exe

Filesize
366KB

MD5
fe9533d27a1c6442c4236fbef8751d08

SHA1
8a2ec71a5e34bd1be80d12fb21137ff5e9bf5451

SHA256
bdce6cb9868c53d0fac7cd39b37742751b11f31b2efb70d4fddc4ef69263d0b0

SHA512
7a542602187f27498463a98d238d498d9fc979fe6e880e155c25486905e09f9dd68797eb0431be94bbcdb931666541aeab65b1b19724dd3588b024302332f8be

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
366KB

MD5
f8d0a97a0f14f05a61284592067c22f4

SHA1
62101ac733e0be905f15ba4d89f2da30cea0fb73

SHA256
c1fc0089db12b4770d63f204c6a6b01589f38d2343babbfb7a545e9e021760ca

SHA512
076912d0f85614bd3a20485006cad09355bcfc847da1126d6b4116a8a3cf0b1fcd956dc2d3f792123f625b3953bb8b84fc99c8eca2248654d289621a841160a6

Download Submit
C:\Windows\SysWOW64\Behgcf32.exe

Filesize
366KB

MD5
be8bcbcf2ead79da635597b4c5db046d

SHA1
af5c971584da22b3cd9c0895a5bacf56bcae2c72

SHA256
f72309100046da4f7a2d83d1e99dfedefebc967f36fb572e4a5ddd749b3bd7af

SHA512
3942219fa391519fa3bb39b77d7974a310b0c21a7028bb060235320f9b4a79ae67aa82bed39dab272d0d1d4529a626b6fe3cd2f3b3813ec587cd5aa2b05002df

Download Submit
C:\Windows\SysWOW64\Bhajdblk.exe

Filesize
366KB

MD5
456ab93c572f35fe2a3b725168e248aa

SHA1
95591ef2b39170515e47bc95c9e803ddb3f2958c

SHA256
92e9494e7c68accb5a8c004b60044c33a5fe59bee605aa4e0e65f0ed5ed59cf0

SHA512
5d4ccdb14858cc99449487e449f6d838645aa5eed605293c733f51a34bd1664e7cb6018212797f90eca2183f6a7d131d3f8a78ab27e4ce99f2f637fe7fd050c4

Download Submit
C:\Windows\SysWOW64\Biafnecn.exe

Filesize
366KB

MD5
18488bf5754777f897e471ff61545249

SHA1
dfacd9e2d548bad487ea460d8dc06300c9b84253

SHA256
0b0790a770e450ceed8f50b8691c2c788728e40b142fd8e405774a2b06465d49

SHA512
84eea41b908d0da01ef60e87e4ba39ae89e5bd385e48b94323ac07cad6a9befd875074f0b35e7bf3ba1845d4ce660721e707843270b27fdd25214f18817d0368

Download Submit
C:\Windows\SysWOW64\Bjbcfn32.exe

Filesize
366KB

MD5
1ae0ab9257cf2fc777c1b1f2fa498dfb

SHA1
e97d46849a694d4bfa9ea8bfc3bce3e90d5265cd

SHA256
c2bc8cea4ad7f66721a7e9e9b472790e05ee90255dd00bcc370922a2c3fecf10

SHA512
f1a63c0f7a0e40977b9a55399b7a8fd926408051875949a546daeb2fa81b7934ece19d5472078e4fc40527bcb45461722f4defec66aba0206ff77bccc1a8ff7e

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
366KB

MD5
67d584e58f9c544161f891f39e5e0d40

SHA1
482c15fa7de49c34d7d759ad9e0a74bdb8a40f62

SHA256
e2867b13fe77fd647f9f4d3c232444f3845de180a979428048f3957ef637eba3

SHA512
8b7237e491dad9fa62f30c2ce7cc0014cba3e1bb768708a8787b95411755a19d9c0b1da53d15eff6a1baa2ff8d7a82711d4efee0d0c82a46469849b710f9187c

Download Submit
C:\Windows\SysWOW64\Blaopqpo.exe

Filesize
366KB

MD5
845b0921cb6895b3a00afac0632326b3

SHA1
666cf0c22a97413c5c8cc6741d01ec24f4005029

SHA256
93b95959779f3f796e12ab66dd6d7dc7a2b8decd429716b085307ff4a0b15a85

SHA512
f9f1ce0255843a939a77538ea152f28a91009b81c5cbd82c54b89f752cbfe9755197563ba96d54549aa54787f867da5aa4cf260c9f4ee8a79e21b103a3f7126f

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
366KB

MD5
e6fa519254958c719bf1b56afbc01205

SHA1
a9216e082ea8e2a6aaac366e530ed408f17ce733

SHA256
9477f533e15ec037c9bdf5fbf01628b15307f54adac87b9bfe6ef35ef2baf4e1

SHA512
d8d7d1537b0cffd470ca6b4589bfb668a03d78403fd865e2b8d1fd4ed22f49b95c495f7e09d000549e87a94c440c29f73175176a51962d3ed8ba938e4fbc9a4a

Download Submit
C:\Windows\SysWOW64\Bnkbam32.exe

Filesize
366KB

MD5
ecd839da4489b5da50391fef7bf4545c

SHA1
5e59ab5d087a0b2b212a0ce2464d2b25acf36866

SHA256
ff4453d1bcaa395640b1cc688f330e1ca9d4ee68cb252c915b20acaee210371a

SHA512
6bc5c77a5adfd4dcc3e8ed521f787846ed640b32379a1dd622def49a931ac68826144ca06b814338ff8bf76c2a01356076399e495135ed9255c718dd3546aba3

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
366KB

MD5
c140b4a914beab40ba8d985fef184e27

SHA1
521c196b6c074aa4bd2310c29382537bccbf1996

SHA256
28dfdcd49038ede977ecc0506240733cbd95223993f5d0386ddc73ad14aa4f23

SHA512
7ff50912c8e103c85583b6cd91a203764dda538c6daea9aa530ffc9a6b7a7d71053e27584253433bbfad6ecfdc66a661ef5cc5d925f9d1a8af1c992a4921d96f

Download Submit
C:\Windows\SysWOW64\Cfnmfn32.exe

Filesize
366KB

MD5
d40e5927bc9324cfb2694fd427a34af3

SHA1
d54143c4798f518bbd4fa3e124a6a0bc3a37de4b

SHA256
f44c1618d562c14009d02a778dd2ff7d7c2ca19cc6cee2751d779d52c5063b73

SHA512
d8730043eb2187fdb6fc5be8db1ba43b30fd339a58b8defb7b7d08e6f618976a493b73b4d1e2311e70ed15f11a808f8c36df4a6c7b526e93eb5bc33d37aae374

Download Submit
C:\Windows\SysWOW64\Cmgechbh.exe

Filesize
366KB

MD5
78012313ea76c38badc3ad2aea689047

SHA1
567f9865a5225ba78dafda337e89d61b5dea0ba4

SHA256
69491398413389a68be3f9a0ca907445afb4bf167eaef69462e1b9a67a411aac

SHA512
321d0bfb21cdd0c51511f710ecb31bf27c4119f941d4d95ebb9032503954534ae91b816487c8156678ef680e644e432cf672d53e85a8b999dbc41e06fc033735

Download Submit
C:\Windows\SysWOW64\Imjcfnhk.dll

Filesize
7KB

MD5
c1e4fc517106120c12ff1cf61da206d8

SHA1
0752500a10a45191cc95dbdf96b875a70ccc7042

SHA256
b68917df7473b0b85e3ce8a266551d8ca4046943e867ea56aeb4c052ab9f7cbf

SHA512
cabaad4f13083be98c9e0ff364cd941be2535e2eff2ad182131d7625608e87639c2fbeb68dad9cea32c37948de2de19c2e5ae83b3b449c9aec2b52f0ffd39229

Download Submit
C:\Windows\SysWOW64\Pihgic32.exe

Filesize
366KB

MD5
463e76aa0cb03e2f8b0430805d046aa7

SHA1
fa295cd96070429e2dc62638df1a6ad4c34e8049

SHA256
576b5f1263acca847051d82f61964d58ce2299d30ed79e6f9369d94c651ae616

SHA512
01a4cce8f743939f57dc88c43c4e170332963dc28608e1504ade4af288edf23a69a7f5a94c8eabaddece82c9e2350799f5ca725613b4712007f5cbafe7aef08f

Download Submit
\Windows\SysWOW64\Achojp32.exe

Filesize
366KB

MD5
fef270e01848b249e07a0064181023eb

SHA1
0861146d3b6a53ccccce2c0726b3b274caa8abba

SHA256
d405ef09e92a321925bd8011701b0317b3d0c678691ed77dbd2b43809686af7c

SHA512
c8be04e580272f09e230ef6b0dd5a19e772b2275e470b80c538913662aa4d6337afc914ff3163641449af986e8f115754536ca7028830afe402c54305bf117f8

Download Submit
\Windows\SysWOW64\Amcpie32.exe

Filesize
366KB

MD5
6fc8d13d9b91b88e02b70a6e2d3f382b

SHA1
2fe75a68a15b1883fb4b19e9632aa6ede99996f9

SHA256
2a580123e8dfce93b92c511d2894023168eeb8283c5956218f5a79eaa4aea688

SHA512
b8980ed965ac8eb15a12a5fe11d72436e726070354a5287e9000b4b1fe1a6fc063ad05fc670b53a20de7c78a963905d591c427e4ca6c3fc888273a1e9a532f7a

Download Submit
\Windows\SysWOW64\Aniimjbo.exe

Filesize
366KB

MD5
5b00b64844cb128b7f0003fa87398ffc

SHA1
9949f6025124d5f5b068f43cf2e422c08aa8a661

SHA256
7bd64f9b6122dd65d34d23066cb2f62c117db9e44006fdeacd4e38c9c236f517

SHA512
b80d0665d0a10bbd1a31c47d10c9dba84d4889f4817592a06588c02d09cdb4b05d220cf1f7581bdf3832fe02ffe6102a68e8946029773c01b8a6862da0beb286

Download Submit
\Windows\SysWOW64\Annbhi32.exe

Filesize
366KB

MD5
0b52a06c2a1d87e3b36e29f62be01864

SHA1
56b49dcb3fa5a11dcf2b9b1fa5bf97ae35b37c4d

SHA256
13cb501fcdab04aebd4d5a4fd4172460c39a41cbc44c9e68eeee7f95cbd1c986

SHA512
89af233ff51f1fb07a28992997d2916b3cf62a57e73f9cc033587906c48309666acc12e775968b849c6cfcddd74dabbf2e6af504eed2cdf94b326d0f06fa16f8

Download Submit
\Windows\SysWOW64\Bmhideol.exe

Filesize
366KB

MD5
4be6b532d92a36838a3c05a7578cbe6e

SHA1
ecaff99d3cd1673259914ee0ae6847a2bfe6e7b1

SHA256
feb730db9f4d232dd261ba9a5bc834e99ce323acb52311e3e50f8e65e887d8ee

SHA512
0eaee199a729b792f2973afc3a20d45714a598bc3ee3b8514bafe19f2aafeb7eb5c2667bdbe42d0a5b3f271c07438662a57b51e7442ebeb2de0bccf45d8c8775

Download Submit
\Windows\SysWOW64\Pjbjhgde.exe

Filesize
366KB

MD5
f42a7389f8d16a7445d39789bf1c83ff

SHA1
6fc1775831f31a88ee3db533cf7b94773d02b3ea

SHA256
0d64543ab1ac49653853fe140d0ea8bb7581e956366bc842ce4f77c0e719e8e0

SHA512
5cb1133f463d03c623193af5b2218743a1b2be9a063623a9ccfaa35a176686b5b82fad4f506d298449776d94e4d11e2b5a82417de2b3893b2222f7a767ee100b

Download Submit
\Windows\SysWOW64\Pjpnbg32.exe

Filesize
366KB

MD5
c07a7516760121c1708e77e2a3a2cf48

SHA1
f02f2886c392085de2529de780f851cbd0fb7e9f

SHA256
234248223acbab522287ae981ec342d7c686ed32a2f117ae9a36d6c04d4a5e55

SHA512
93771a2781fcc22ca0801979acb41be9bac3a07b209ce74937cdbdc7aac332fba5a82c24b026eb31c0b9a6e3c669dc5f9f291f4787a4c9ae17a9daaa57144f3c

Download Submit
\Windows\SysWOW64\Qeohnd32.exe

Filesize
366KB

MD5
7b26fb3601deaa0a374a3290969f8c01

SHA1
709db7566ae75ae370ba519fead6f8119eac9ce1

SHA256
37ba7a6ba041a9cc60c7fbe3f04b88fe126666943f9254d604220e15904bc862

SHA512
ce723ee9f8cbcb73ae29694616abe651406fab720857fd48ae1d5c15b7ec82ca3d86f17f2403e808136e86fcb6b739fb3a458f656acfe30892c659d6978efdcd

Download Submit
\Windows\SysWOW64\Qqeicede.exe

Filesize
366KB

MD5
72b5ac634d88ef9aafff92abafc37ba9

SHA1
1a40705f051e0315ef51a47f6b481854c696671b

SHA256
ffa301b0988d723c27504dcb0c20f83e960a667817b183fa327bf933540fbbcb

SHA512
aa6539b4726af86923f4a92f858ba5d3f1112da49f5d3513bc7ec2bf61d629a8ad98b9271290787aaef5bc8b21d20eb9ad0781e878811958f07768fac8252424

Download Submit
memory/700-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/700-269-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/700-275-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/868-95-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/868-342-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1120-158-0x00000000002E0000-0x000000000031E000-memory.dmp

Filesize
248KB

Download
memory/1120-151-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1120-347-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-209-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1488-222-0x0000000000370000-0x00000000003AE000-memory.dmp

Filesize
248KB

Download
memory/1488-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-130-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/1560-123-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1560-345-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-320-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-360-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-330-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1588-329-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/1780-253-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1780-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1780-254-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1780-353-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-348-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1848-180-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1848-179-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1848-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-150-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/1952-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-346-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-318-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1960-319-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/1960-359-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2080-310-0x00000000004A0000-0x00000000004DE000-memory.dmp

Filesize
248KB

Download
memory/2080-311-0x00000000004A0000-0x00000000004DE000-memory.dmp

Filesize
248KB

Download
memory/2156-117-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2156-344-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-199-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2216-202-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/2224-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-234-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2224-243-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2368-357-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-297-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2368-290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2368-296-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2432-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2432-197-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2432-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-233-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2464-226-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2464-232-0x00000000002A0000-0x00000000002DE000-memory.dmp

Filesize
248KB

Download
memory/2464-351-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-354-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-255-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2484-264-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2484-265-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2512-286-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2512-285-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2512-356-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2512-276-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2648-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-43-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2708-50-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2708-339-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-13-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2720-12-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2720-332-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2720-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-331-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-104-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/2860-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-336-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-29-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2896-338-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2896-41-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2896-337-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/2912-26-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2912-27-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2912-335-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2912-334-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2912-333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-14-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-341-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-69-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2984-77-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads