b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a

Analysis

max time kernel
31s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Size

93KB
MD5

a25f05b683c577ad5ef29495fc6e32ef
SHA1

1246ea002cce04342e18dd827e095726dda53e6b
SHA256

b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a
SHA512

f675ffd05905ea656c81774aded0830282ca9492b797d4cee0182a2546fec74f3bf6192d70b5742197fba08755de3a46beaf72aaf7b3a8b32f7d98a2434388b3
SSDEEP

1536:9FrSTQ1TwF+A3MKljt+G+DPHsRQQRkRLJzeLD9N0iQGRNQR8RyV+32rR:brwQgtjEG+DPMeQSJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajgfnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqanke32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ankhmncb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akkokc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bghfacem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amjkefmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akphfbbl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Akkokc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ailboh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qckalamk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdego32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bghfacem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anndbnao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acbglq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amjkefmd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akphfbbl.exe

Executes dropped EXE 22 IoCs

pid	Process
2184	Qckalamk.exe
3032	Qfimhmlo.exe
2888	Ajgfnk32.exe
296	Aqanke32.exe
2472	Afnfcl32.exe
2816	Ailboh32.exe
2828	Akkokc32.exe
1352	Acbglq32.exe
2240	Aeccdila.exe
2968	Amjkefmd.exe
2840	Ankhmncb.exe
2416	Afbpnlcd.exe
676	Akphfbbl.exe
1660	Anndbnao.exe
948	Aalaoipc.exe
2628	Aicipgqe.exe
968	Ajdego32.exe
1300	Ablmilgf.exe
2236	Bejiehfi.exe
2428	Bghfacem.exe
1884	Bnbnnm32.exe
2424	Bmenijcd.exe

Loads dropped DLL 48 IoCs

pid	Process
3068	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
3068	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
2184	Qckalamk.exe
2184	Qckalamk.exe
3032	Qfimhmlo.exe
3032	Qfimhmlo.exe
2888	Ajgfnk32.exe
2888	Ajgfnk32.exe
296	Aqanke32.exe
296	Aqanke32.exe
2472	Afnfcl32.exe
2472	Afnfcl32.exe
2816	Ailboh32.exe
2816	Ailboh32.exe
2828	Akkokc32.exe
2828	Akkokc32.exe
1352	Acbglq32.exe
1352	Acbglq32.exe
2240	Aeccdila.exe
2240	Aeccdila.exe
2968	Amjkefmd.exe
2968	Amjkefmd.exe
2840	Ankhmncb.exe
2840	Ankhmncb.exe
2416	Afbpnlcd.exe
2416	Afbpnlcd.exe
676	Akphfbbl.exe
676	Akphfbbl.exe
1660	Anndbnao.exe
1660	Anndbnao.exe
948	Aalaoipc.exe
948	Aalaoipc.exe
2628	Aicipgqe.exe
2628	Aicipgqe.exe
968	Ajdego32.exe
968	Ajdego32.exe
1300	Ablmilgf.exe
1300	Ablmilgf.exe
2236	Bejiehfi.exe
2236	Bejiehfi.exe
2428	Bghfacem.exe
2428	Bghfacem.exe
1884	Bnbnnm32.exe
1884	Bnbnnm32.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Akphfbbl.exe	Afbpnlcd.exe
File created	C:\Windows\SysWOW64\Jegphc32.dll	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Aicipgqe.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Hcfcjo32.dll	Bejiehfi.exe
File opened for modification	C:\Windows\SysWOW64\Qckalamk.exe	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
File created	C:\Windows\SysWOW64\Qfdkaj32.dll	Aeccdila.exe
File created	C:\Windows\SysWOW64\Ajdego32.exe	Aicipgqe.exe
File opened for modification	C:\Windows\SysWOW64\Ajdego32.exe	Aicipgqe.exe
File created	C:\Windows\SysWOW64\Qckalamk.exe	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
File created	C:\Windows\SysWOW64\Hgeahj32.dll	Qckalamk.exe
File opened for modification	C:\Windows\SysWOW64\Aqanke32.exe	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Bemkkdbc.dll	Ailboh32.exe
File created	C:\Windows\SysWOW64\Khilfg32.dll	Acbglq32.exe
File created	C:\Windows\SysWOW64\Anndbnao.exe	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Inceepmo.dll	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Olfclj32.dll	Bghfacem.exe
File opened for modification	C:\Windows\SysWOW64\Qfimhmlo.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Aeccdila.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Ankhmncb.exe	Amjkefmd.exe
File created	C:\Windows\SysWOW64\Ablmilgf.exe	Ajdego32.exe
File created	C:\Windows\SysWOW64\Iibjbgbg.dll	Ajdego32.exe
File created	C:\Windows\SysWOW64\Lnofaf32.dll	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Bghfacem.exe	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Bnbnnm32.exe	Bghfacem.exe
File created	C:\Windows\SysWOW64\Qfimhmlo.exe	Qckalamk.exe
File created	C:\Windows\SysWOW64\Amncmd32.dll	Qfimhmlo.exe
File opened for modification	C:\Windows\SysWOW64\Ailboh32.exe	Afnfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Bghfacem.exe	Bejiehfi.exe
File created	C:\Windows\SysWOW64\Aqanke32.exe	Ajgfnk32.exe
File created	C:\Windows\SysWOW64\Jgcfpd32.dll	Amjkefmd.exe
File opened for modification	C:\Windows\SysWOW64\Afbpnlcd.exe	Ankhmncb.exe
File created	C:\Windows\SysWOW64\Bejiehfi.exe	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Hoeqmeoo.dll	Ajgfnk32.exe
File opened for modification	C:\Windows\SysWOW64\Amjkefmd.exe	Aeccdila.exe
File opened for modification	C:\Windows\SysWOW64\Aalaoipc.exe	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Bejiehfi.exe	Ablmilgf.exe
File created	C:\Windows\SysWOW64\Akkokc32.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Acbglq32.exe	Akkokc32.exe
File created	C:\Windows\SysWOW64\Pgmobakj.dll	Aicipgqe.exe
File opened for modification	C:\Windows\SysWOW64\Bnbnnm32.exe	Bghfacem.exe
File opened for modification	C:\Windows\SysWOW64\Ajgfnk32.exe	Qfimhmlo.exe
File opened for modification	C:\Windows\SysWOW64\Akkokc32.exe	Ailboh32.exe
File created	C:\Windows\SysWOW64\Ddgoncih.dll	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
File created	C:\Windows\SysWOW64\Afnfcl32.exe	Aqanke32.exe
File opened for modification	C:\Windows\SysWOW64\Aicipgqe.exe	Aalaoipc.exe
File created	C:\Windows\SysWOW64\Akphfbbl.exe	Afbpnlcd.exe
File created	C:\Windows\SysWOW64\Ailboh32.exe	Afnfcl32.exe
File created	C:\Windows\SysWOW64\Ppqolemj.dll	Afnfcl32.exe
File opened for modification	C:\Windows\SysWOW64\Acbglq32.exe	Akkokc32.exe
File created	C:\Windows\SysWOW64\Afbpnlcd.exe	Ankhmncb.exe
File opened for modification	C:\Windows\SysWOW64\Anndbnao.exe	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Diflambo.dll	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Qebepc32.dll	Aqanke32.exe
File created	C:\Windows\SysWOW64\Kagbmg32.dll	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Ablmilgf.exe	Ajdego32.exe
File created	C:\Windows\SysWOW64\Aalaoipc.exe	Anndbnao.exe
File opened for modification	C:\Windows\SysWOW64\Afnfcl32.exe	Aqanke32.exe
File created	C:\Windows\SysWOW64\Abgqlf32.dll	Afbpnlcd.exe
File opened for modification	C:\Windows\SysWOW64\Bmenijcd.exe	Bnbnnm32.exe
File created	C:\Windows\SysWOW64\Ajgfnk32.exe	Qfimhmlo.exe
File created	C:\Windows\SysWOW64\Pjmgop32.dll	Akkokc32.exe
File opened for modification	C:\Windows\SysWOW64\Aeccdila.exe	Acbglq32.exe
File created	C:\Windows\SysWOW64\Amjkefmd.exe	Aeccdila.exe
File opened for modification	C:\Windows\SysWOW64\Ankhmncb.exe	Amjkefmd.exe

Program crash 1 IoCs

pid	pid_target	Process
2024	2424	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejiehfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akkokc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akphfbbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqanke32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnfcl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amjkefmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afbpnlcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalaoipc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbnnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfimhmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajgfnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeccdila.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aicipgqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdego32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bghfacem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmenijcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ailboh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ankhmncb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anndbnao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ablmilgf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qckalamk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acbglq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bghfacem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfclj32.dll"	Bghfacem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diflambo.dll"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeccdila.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bghfacem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbnnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afbpnlcd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmobakj.dll"	Aicipgqe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inceepmo.dll"	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeahj32.dll"	Qckalamk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajgfnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ailboh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bemkkdbc.dll"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqanke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhaglgp.dll"	Ankhmncb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegphc32.dll"	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagbmg32.dll"	Anndbnao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajdego32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ablmilgf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjmgop32.dll"	Akkokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acbglq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcfpd32.dll"	Amjkefmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgqlf32.dll"	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aalaoipc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amncmd32.dll"	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Akkokc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anndbnao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amjkefmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aalaoipc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppqolemj.dll"	Afnfcl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khilfg32.dll"	Acbglq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeccdila.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bejiehfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddgoncih.dll"	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfimhmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeqmeoo.dll"	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajgfnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bejiehfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qckalamk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ailboh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anndbnao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aicipgqe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnbnnm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfdkaj32.dll"	Aeccdila.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afbpnlcd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibjbgbg.dll"	Ajdego32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnofaf32.dll"	Ablmilgf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qebepc32.dll"	Aqanke32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Akkokc32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2184	3068	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe	30
PID 3068 wrote to memory of 2184	3068	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe	30
PID 3068 wrote to memory of 2184	3068	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe	30
PID 3068 wrote to memory of 2184	3068	b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe	30
PID 2184 wrote to memory of 3032	2184	Qckalamk.exe	31
PID 2184 wrote to memory of 3032	2184	Qckalamk.exe	31
PID 2184 wrote to memory of 3032	2184	Qckalamk.exe	31
PID 2184 wrote to memory of 3032	2184	Qckalamk.exe	31
PID 3032 wrote to memory of 2888	3032	Qfimhmlo.exe	32
PID 3032 wrote to memory of 2888	3032	Qfimhmlo.exe	32
PID 3032 wrote to memory of 2888	3032	Qfimhmlo.exe	32
PID 3032 wrote to memory of 2888	3032	Qfimhmlo.exe	32
PID 2888 wrote to memory of 296	2888	Ajgfnk32.exe	33
PID 2888 wrote to memory of 296	2888	Ajgfnk32.exe	33
PID 2888 wrote to memory of 296	2888	Ajgfnk32.exe	33
PID 2888 wrote to memory of 296	2888	Ajgfnk32.exe	33
PID 296 wrote to memory of 2472	296	Aqanke32.exe	34
PID 296 wrote to memory of 2472	296	Aqanke32.exe	34
PID 296 wrote to memory of 2472	296	Aqanke32.exe	34
PID 296 wrote to memory of 2472	296	Aqanke32.exe	34
PID 2472 wrote to memory of 2816	2472	Afnfcl32.exe	35
PID 2472 wrote to memory of 2816	2472	Afnfcl32.exe	35
PID 2472 wrote to memory of 2816	2472	Afnfcl32.exe	35
PID 2472 wrote to memory of 2816	2472	Afnfcl32.exe	35
PID 2816 wrote to memory of 2828	2816	Ailboh32.exe	36
PID 2816 wrote to memory of 2828	2816	Ailboh32.exe	36
PID 2816 wrote to memory of 2828	2816	Ailboh32.exe	36
PID 2816 wrote to memory of 2828	2816	Ailboh32.exe	36
PID 2828 wrote to memory of 1352	2828	Akkokc32.exe	37
PID 2828 wrote to memory of 1352	2828	Akkokc32.exe	37
PID 2828 wrote to memory of 1352	2828	Akkokc32.exe	37
PID 2828 wrote to memory of 1352	2828	Akkokc32.exe	37
PID 1352 wrote to memory of 2240	1352	Acbglq32.exe	38
PID 1352 wrote to memory of 2240	1352	Acbglq32.exe	38
PID 1352 wrote to memory of 2240	1352	Acbglq32.exe	38
PID 1352 wrote to memory of 2240	1352	Acbglq32.exe	38
PID 2240 wrote to memory of 2968	2240	Aeccdila.exe	39
PID 2240 wrote to memory of 2968	2240	Aeccdila.exe	39
PID 2240 wrote to memory of 2968	2240	Aeccdila.exe	39
PID 2240 wrote to memory of 2968	2240	Aeccdila.exe	39
PID 2968 wrote to memory of 2840	2968	Amjkefmd.exe	40
PID 2968 wrote to memory of 2840	2968	Amjkefmd.exe	40
PID 2968 wrote to memory of 2840	2968	Amjkefmd.exe	40
PID 2968 wrote to memory of 2840	2968	Amjkefmd.exe	40
PID 2840 wrote to memory of 2416	2840	Ankhmncb.exe	41
PID 2840 wrote to memory of 2416	2840	Ankhmncb.exe	41
PID 2840 wrote to memory of 2416	2840	Ankhmncb.exe	41
PID 2840 wrote to memory of 2416	2840	Ankhmncb.exe	41
PID 2416 wrote to memory of 676	2416	Afbpnlcd.exe	42
PID 2416 wrote to memory of 676	2416	Afbpnlcd.exe	42
PID 2416 wrote to memory of 676	2416	Afbpnlcd.exe	42
PID 2416 wrote to memory of 676	2416	Afbpnlcd.exe	42
PID 676 wrote to memory of 1660	676	Akphfbbl.exe	43
PID 676 wrote to memory of 1660	676	Akphfbbl.exe	43
PID 676 wrote to memory of 1660	676	Akphfbbl.exe	43
PID 676 wrote to memory of 1660	676	Akphfbbl.exe	43
PID 1660 wrote to memory of 948	1660	Anndbnao.exe	44
PID 1660 wrote to memory of 948	1660	Anndbnao.exe	44
PID 1660 wrote to memory of 948	1660	Anndbnao.exe	44
PID 1660 wrote to memory of 948	1660	Anndbnao.exe	44
PID 948 wrote to memory of 2628	948	Aalaoipc.exe	45
PID 948 wrote to memory of 2628	948	Aalaoipc.exe	45
PID 948 wrote to memory of 2628	948	Aalaoipc.exe	45
PID 948 wrote to memory of 2628	948	Aalaoipc.exe	45

C:\Users\Admin\AppData\Local\Temp\b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe
"C:\Users\Admin\AppData\Local\Temp\b132695a0001b5317dbc8d4d70058131ac1c9786512442145d6f10ac4ed86d5a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\Qckalamk.exe
  C:\Windows\system32\Qckalamk.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\Qfimhmlo.exe
    C:\Windows\system32\Qfimhmlo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\Ajgfnk32.exe
      C:\Windows\system32\Ajgfnk32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\Aqanke32.exe
        
        C:\Windows\system32\Aqanke32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:296
      - C:\Windows\SysWOW64\Afnfcl32.exe
        
        C:\Windows\system32\Afnfcl32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Ailboh32.exe
        
        C:\Windows\system32\Ailboh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\SysWOW64\Akkokc32.exe
        
        C:\Windows\system32\Akkokc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Acbglq32.exe
        
        C:\Windows\system32\Acbglq32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\SysWOW64\Aeccdila.exe
        
        C:\Windows\system32\Aeccdila.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Amjkefmd.exe
        
        C:\Windows\system32\Amjkefmd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\Ankhmncb.exe
        
        C:\Windows\system32\Ankhmncb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\SysWOW64\Afbpnlcd.exe
        
        C:\Windows\system32\Afbpnlcd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\SysWOW64\Akphfbbl.exe
        
        C:\Windows\system32\Akphfbbl.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:676
        
        C:\Windows\SysWOW64\Anndbnao.exe
        
        C:\Windows\system32\Anndbnao.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\SysWOW64\Aalaoipc.exe
        
        C:\Windows\system32\Aalaoipc.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Aicipgqe.exe
        
        C:\Windows\system32\Aicipgqe.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Ajdego32.exe
        
        C:\Windows\system32\Ajdego32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Ablmilgf.exe
        
        C:\Windows\system32\Ablmilgf.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Bejiehfi.exe
        
        C:\Windows\system32\Bejiehfi.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Bghfacem.exe
        
        C:\Windows\system32\Bghfacem.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Bnbnnm32.exe
        
        C:\Windows\system32\Bnbnnm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Bmenijcd.exe
        
        C:\Windows\system32\Bmenijcd.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aalaoipc.exe

Filesize
93KB

MD5
26e9dd0c4b427445b3e87af45b62698a

SHA1
416e6a514a0385c320aab56fd9ba4b499122f1e7

SHA256
349ced010d77d8b8ceee1b4a5214b6ff3e7b1d3016fa8f00fe4bcb2438b759d7

SHA512
2f0d21c775ea2238aa8b7e27613fa8faa89ca9b8b960d995d09806faf26a8fd8ebbe07595f00a422cf850d02e8ae4ee73b54ad33ce1ba8db8c5a1b126acd6434

Download Submit
C:\Windows\SysWOW64\Ablmilgf.exe

Filesize
93KB

MD5
fec684a986c22fdd9aebcbbf501c5138

SHA1
02bd593576a92529beda88eeaaf3a52ed1fd2e4e

SHA256
5e7154dd34de10009e2505dc6c8619faa23904c6af62877d9decdc4be535ab45

SHA512
36072deeac4a1ee7d8932f5283cd23477a2a6145cb9b1809135416bb914cf4a9280acc20145649dadf2a41700af4087026fa3f667d16c835149be0459685ed7c

Download Submit
C:\Windows\SysWOW64\Acbglq32.exe

Filesize
93KB

MD5
5cb065249da46f0f755561659fe108bf

SHA1
5f27c0e6c452e39769ff48c726ad6de62461afd7

SHA256
65a0aedafbeaec4635b1b6f32ce18706e0e54c41f25051d55d7b8a8e1e45d930

SHA512
96dd271da3194efb8b82d44a4b1f573a3eae34c23d7932ff8e604b7175c198a448c4c7a90726f90f336c8806ac44f3445d3e6f31853152c751b8a96543435233

Download Submit
C:\Windows\SysWOW64\Aeccdila.exe

Filesize
93KB

MD5
f374050e25f4dc4901d57304accb24e4

SHA1
3f0c4885a1da3756a9fbb286161da3c4492113a3

SHA256
a19c6d00fa053bcfe4e7f86758b660a599838eb3b19f111a41074476bf58d1d2

SHA512
49d4fbcbb9ee8795370c3bca0a99c36f0c8d1cce057d43ad9e25d3e01f721c89f64901b61c1976a0af2b6e97db7bf33b5adb458254041657a15ff2fbd68345ac

Download Submit
C:\Windows\SysWOW64\Ajdego32.exe

Filesize
93KB

MD5
ef7d7db929bfe44ca8f0cad6dc6c410c

SHA1
54c17bbbb7f85e9c88c09d7517ceebb16fc202c8

SHA256
45074e865ad9fecd0109a5ec1e3c8dc0af2712f3f00b8ec72ef89fb11be6b381

SHA512
2c58528ff32043e2301b4e70243c02f70c9190fe30d606896c114daba912da41efd342258be93d1e886c56734acb2be2b302c3789873eeba30c697b30cd779e5

Download Submit
C:\Windows\SysWOW64\Akkokc32.exe

Filesize
93KB

MD5
f35bc6de35c7d0b72caa5de153bf0565

SHA1
4dd42565dc958c6ce5abd46871aafb59a0c69c7f

SHA256
a0ba55c12a42ff04af47ff9d8d5568c876542bbe5cc54760c907c607e73da06a

SHA512
dcca39f7378f6a5c13fda5edc135b80e83b78e6463b05d864ba20ab588e7f8d32aa2da2d6e34fcfea6c7ef3dfae78759f019281284fd6d349fb33c247e95408e

Download Submit
C:\Windows\SysWOW64\Akphfbbl.exe

Filesize
93KB

MD5
68ee038ec048628dc202c82cdf23c0ac

SHA1
49670ee70d5b1ec5960ab77cee6d4ccfba35e38e

SHA256
d59c856efad7aecd6e06016fe9696e512b727cdcf1f4ba602a9447bda73d796b

SHA512
03f36f0c431f6d5f544de0993d4d90bf91c13a31f796d15e2c714fa98996fe59b236f1ff6da63ba425e0a1d13fba0e92782ac3937d31aaafc992a00a691c0e43

Download Submit
C:\Windows\SysWOW64\Amjkefmd.exe

Filesize
93KB

MD5
5f4f0ab1af66864173bacc4a618a703e

SHA1
c7cf531f9fea84b4a08c03b0394ff96cdb74cbfc

SHA256
c0d33929afb6c25becba4009ba458ec6b99d189210562d9da00f0c56b79b1344

SHA512
b7277c6f2b791bad112b91d25ec8b1056eb6c4b3bda92a7fe415198f18c3f5664c7b51c187d1362f76a4266abb495b30e18e293602d09d529c947d8db2d4bf0b

Download Submit
C:\Windows\SysWOW64\Ankhmncb.exe

Filesize
93KB

MD5
96efc4f6a55237596199da83f5192875

SHA1
3e459f4daa82644eaf92d736fc7d68782d75e105

SHA256
fc60081247be0375628e9352f378b9ddd525f8a7bac4b393de4f7a23f456c447

SHA512
0660abd8cb1441303e792d4cca5dca35c663b76ce14e7778015ca0b79dcc754f6d9c8ce44ee80971802636064fbb9839f5365b1fb575d83bb255f5ece00140b8

Download Submit
C:\Windows\SysWOW64\Anndbnao.exe

Filesize
93KB

MD5
7bdc3f491a0fccb770865916915c2b11

SHA1
b88f9cc7394c9661e6aa61f7baef029e461d3837

SHA256
aaabce50fccbf42ea7a8b988429b9735e16b903062f2ea9c66997399423cd4e7

SHA512
e7b8356255310289e7a0521040d4a7682f40f5f44f128e6c28090df4099852dcda57bfe42d5d9426bb6ef348038b9b24aa503fa122e44f7f8629adf104712766

Download Submit
C:\Windows\SysWOW64\Aqanke32.exe

Filesize
93KB

MD5
8f17baeafa2b2c005a2a4e2be0e82457

SHA1
b2c420a094653a1473a88350484d9210a4e8969d

SHA256
ff96a57fcf4b297db11eb88555bb0144ed3940f6a3812be0cd7c1700a137b538

SHA512
004b864dabe6be40795f2bb2d97d719128364f1683a9d1ea664c5492814c964512d48ccccf188fa44a8f49b7064a6b058293a9660fa52db4b5c8eef2c1346ef2

Download Submit
C:\Windows\SysWOW64\Bejiehfi.exe

Filesize
93KB

MD5
6c0b8548bb6fc0362362b668b492f930

SHA1
fb784faf8836292782380eb98ac34a26f56ab591

SHA256
a52198d9faa699b1ec814e98545ef846077c3f76936f7a6bffb944c75b9d44da

SHA512
4958882061c2492d3deec223458c10c1bcc961e1d6d0b3d7bcd54273a62376b276a5b6b85f8d0611425616964b83b5f4299c5f783592f3a72eea5abf0d5ddb0a

Download Submit
C:\Windows\SysWOW64\Bghfacem.exe

Filesize
93KB

MD5
df08c5f597d04100df1ce8e7bb56a7c4

SHA1
583de3e4559e967a2e47445a602c528064cd96b8

SHA256
d6362fbf59922d74a66d7cc2b866a5f8540d273e6e889e4a4deb3d5a08ffd435

SHA512
6f8585a145fade47d3a64c66bbd873240a84882ff68fbcaf05405cd6a07c1310dccd3d65fa3ea758ae2344e76ac5a00a8e8ad480a47b5b0fd986524e32e066b0

Download Submit
C:\Windows\SysWOW64\Bmenijcd.exe

Filesize
93KB

MD5
25341066c1354b65abb1711821f2f2a2

SHA1
f3a73f045a4ab41c4ce6076e92210638d43a879b

SHA256
2d5ca74791e166a4e1f731b43fcc332eca9d910f5793438187c4bcfd03e5ec1e

SHA512
7dc88395a5ade13efb2d5f7507a1d89027ce5f0c2c157a535ad3d429097638c3043dfc3ecbd7fd020d75d47a6ab4a641140b6b092de99163b28b544ed61701cf

Download Submit
C:\Windows\SysWOW64\Bnbnnm32.exe

Filesize
93KB

MD5
4eb84e6acb9f285368766866eee1a658

SHA1
d122a3307867cd1683d29922879a02faa144875a

SHA256
1ea40af5f51e4f283c282e886b2dd01b98e99875f97105747b344bbd0b2d99cf

SHA512
119641f37c7374376ff26b643200433237787f0a12bfdaef0bc5a067d7c41f9d9744f320174fa78dd8c4149dd8054bccb8bc9171fc01b2d7570361a8e45cfdae

Download Submit
C:\Windows\SysWOW64\Qckalamk.exe

Filesize
93KB

MD5
35a49ed13bb3bc01c93e8f17411980c9

SHA1
5c6495f472c78374ed79845231fa7d192e886d0b

SHA256
f5d02c46e06087e81157642fe9966257096047fd6fbfd6410bca8c4b1f823699

SHA512
d5f87761a02f4a2cf7ee681ab02cd5c6007f298d87743a7a6ca918c3558c035e6ec70a53a05ff3b4166b77043d5d985ec0c5fda9ba178222048b3ffb1c8bb769

Download Submit
C:\Windows\SysWOW64\Qebepc32.dll

Filesize
7KB

MD5
fc7e3ff625eb023c03d7de1adb514d64

SHA1
317d1165e624da01bf4b4f1a5253d943515f4c47

SHA256
5edfa77ef934abc625287efdf9cde930b326e6c5004df2a7217bde21a4fc1d0c

SHA512
784ba3e8d5ef7208533f33f74bdc6fe0dc51b76dce57d9a4ca6224043d527d23653e27052fbe463b7d89a6b3febc9d1965567090b551d9e5469e5a15dc6b0ea3

Download Submit
C:\Windows\SysWOW64\Qfimhmlo.exe

Filesize
93KB

MD5
3287ddee07aa2dead4be291020242e40

SHA1
12ce1c4ed3f1397f36e8947ac794c7770ac3445a

SHA256
d16acd8e9781f7f9e6ac39bae32bdf824bbbce54ddabd6e63d54b5d33ee707c5

SHA512
7ef3fc91c119c386d1b3a39a4cd62029aef6586bdb084cb0bb4624480e977dc456e9d832cefa0ca1ed8d76e35bf42146dacb3bdd25125dd9a7c2ab11e1addf3e

Download Submit
\Windows\SysWOW64\Afbpnlcd.exe

Filesize
93KB

MD5
a8eec6067f4c1a1832dbc5182a2ec5d4

SHA1
61d347e1e5c9725ab7f177c6e355f41e97dab4f0

SHA256
8bbd7e55d14fe22d555b8c67b98640ca4788375449138cd34d0a1b90084d100f

SHA512
6425780712839894c84d4ab9bc888b9697eb1ddd62bfbe26d02461a9fa8b6d5ff54cce6e91dfc9a45c1aa54236ac022e06d2c116221d0a2e6c30ecb33501aefa

Download Submit
\Windows\SysWOW64\Afnfcl32.exe

Filesize
93KB

MD5
7354cad8df737ea41ddfc50fd60a8344

SHA1
b0b6c971f89c0ed2c62db9d597841eeba9ef3603

SHA256
cb0e3bab9bbf685d4689722ed5e71305f90c47fbe0072035e56258210c95fb37

SHA512
f0d6fd7974ff53e222305f2c09eccbd2c6219de9d77230498b536e2bd85f3cab2955b788aac3ae0879c6d0737f8474fb685c8793eea090b1b55134da663483d7

Download Submit
\Windows\SysWOW64\Aicipgqe.exe

Filesize
93KB

MD5
152377986acc961ab614ef9c83b8c67b

SHA1
fb407350b8641a52d1ef83108adbf6382cc56b2d

SHA256
86e2f1afd35ede7a06db87c14f144c73ebc67be3b6c64cab502d49dfa19d8645

SHA512
a96b12bb5a6fbf57396cb45976306e9a28c4ac627da72deff217cb16bd12dd3c7ac26d3428f29a6502ea1394ec38daae2b728d06e694b8c71284562e273223cf

Download Submit
\Windows\SysWOW64\Ailboh32.exe

Filesize
93KB

MD5
0d1025449c67cb15b2ea0c72716a229e

SHA1
c6b229ec23d81fadb251ca387af6b8946aab925b

SHA256
9031f1e6ce0311abc90ec02aa413fb0b4f393458ef305e00b81f02de34e23cbd

SHA512
abb8034650971fe4730c09d3fa7f404b95b155ad1d02bc100e9b734e4950173cc31afb5036a50396adbb52d028d4063453ec27f9556b1923fd5133e28194623f

Download Submit
\Windows\SysWOW64\Ajgfnk32.exe

Filesize
93KB

MD5
6ca215eb73bdde3b589b66d81348b318

SHA1
b8d5814932083d97b2e1d03161ddeff729d1869b

SHA256
89c37d552eb66207d0b082bf596eb6eb5ba93aaccdd89a7c95b7756169b029b1

SHA512
d3297114a0e2a8aada0bbf2693381ea77de23fc4a332f92d8f645d2939582851fff193ec260a833cb09cd447dfca429db62c44b672773d7ba249c3513a0d57e5

Download Submit
memory/296-67-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/296-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/296-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/296-61-0x0000000000300000-0x0000000000340000-memory.dmp

Filesize
256KB

Download
memory/676-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/676-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-231-0x0000000000270000-0x00000000002B0000-memory.dmp

Filesize
256KB

Download
memory/968-280-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/968-252-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1300-290-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1300-262-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1352-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1352-128-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1352-122-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1660-251-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-210-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1884-295-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/1884-298-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2184-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-272-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2236-296-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-182-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2416-172-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2416-232-0x0000000000280000-0x00000000002C0000-memory.dmp

Filesize
256KB

Download
memory/2416-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2428-282-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2472-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-142-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2472-82-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2472-69-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2472-84-0x0000000000340000-0x0000000000380000-memory.dmp

Filesize
256KB

Download
memory/2628-241-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2628-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2628-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-130-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2816-99-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2816-92-0x00000000002B0000-0x00000000002F0000-memory.dmp

Filesize
256KB

Download
memory/2828-111-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/2828-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2840-217-0x0000000000490000-0x00000000004D0000-memory.dmp

Filesize
256KB

Download
memory/2840-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2888-51-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-208-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2968-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2968-153-0x00000000002D0000-0x0000000000310000-memory.dmp

Filesize
256KB

Download
memory/2968-199-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-83-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-97-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3032-26-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-33-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3068-23-0x0000000000250000-0x0000000000290000-memory.dmp

Filesize
256KB

Download
memory/3068-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3068-66-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads