75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018

Analysis

max time kernel
92s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/11/2024, 09:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Size

464KB
MD5

c75dda0094ea84919a93a7231e348700
SHA1

5941348ba26b921dcd8b9ecacbd67f5d95eda5e6
SHA256

75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018
SHA512

7a3af8db1034f6121178d860ab852133f892c0e34a7fd61581564752260ac621eede82fab41220b416a243dc0701fda4397238dc3b2f0977e02b110dd4bc40fd
SSDEEP

6144:gRqRz+FCfe4zt9LIoFEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPCQ:gYRz+Mv8YEVI2C4EVu2JEVcBEVI2CQ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe

Executes dropped EXE 25 IoCs

pid	Process
4424	Anogiicl.exe
4092	Afjlnk32.exe
1248	Anadoi32.exe
3972	Aeklkchg.exe
1600	Afmhck32.exe
3020	Anfmjhmd.exe
4792	Bfabnjjp.exe
652	Bganhm32.exe
860	Bmngqdpj.exe
2100	Bjagjhnc.exe
4556	Bcjlcn32.exe
1632	Beihma32.exe
2468	Bnbmefbg.exe
3716	Bapiabak.exe
1828	Cdfkolkf.exe
3856	Cdhhdlid.exe
4412	Cmqmma32.exe
3124	Cegdnopg.exe
3988	Dfiafg32.exe
4224	Dejacond.exe
1128	Dhkjej32.exe
2860	Deokon32.exe
3384	Dkkcge32.exe
2036	Deagdn32.exe
3728	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Aeklkchg.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Dejacond.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cdhhdlid.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4976	3728	WerFault.exe	108

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afjlnk32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 4424	1516	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe	84
PID 1516 wrote to memory of 4424	1516	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe	84
PID 1516 wrote to memory of 4424	1516	75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe	84
PID 4424 wrote to memory of 4092	4424	Anogiicl.exe	85
PID 4424 wrote to memory of 4092	4424	Anogiicl.exe	85
PID 4424 wrote to memory of 4092	4424	Anogiicl.exe	85
PID 4092 wrote to memory of 1248	4092	Afjlnk32.exe	86
PID 4092 wrote to memory of 1248	4092	Afjlnk32.exe	86
PID 4092 wrote to memory of 1248	4092	Afjlnk32.exe	86
PID 1248 wrote to memory of 3972	1248	Anadoi32.exe	87
PID 1248 wrote to memory of 3972	1248	Anadoi32.exe	87
PID 1248 wrote to memory of 3972	1248	Anadoi32.exe	87
PID 3972 wrote to memory of 1600	3972	Aeklkchg.exe	88
PID 3972 wrote to memory of 1600	3972	Aeklkchg.exe	88
PID 3972 wrote to memory of 1600	3972	Aeklkchg.exe	88
PID 1600 wrote to memory of 3020	1600	Afmhck32.exe	89
PID 1600 wrote to memory of 3020	1600	Afmhck32.exe	89
PID 1600 wrote to memory of 3020	1600	Afmhck32.exe	89
PID 3020 wrote to memory of 4792	3020	Anfmjhmd.exe	90
PID 3020 wrote to memory of 4792	3020	Anfmjhmd.exe	90
PID 3020 wrote to memory of 4792	3020	Anfmjhmd.exe	90
PID 4792 wrote to memory of 652	4792	Bfabnjjp.exe	91
PID 4792 wrote to memory of 652	4792	Bfabnjjp.exe	91
PID 4792 wrote to memory of 652	4792	Bfabnjjp.exe	91
PID 652 wrote to memory of 860	652	Bganhm32.exe	92
PID 652 wrote to memory of 860	652	Bganhm32.exe	92
PID 652 wrote to memory of 860	652	Bganhm32.exe	92
PID 860 wrote to memory of 2100	860	Bmngqdpj.exe	93
PID 860 wrote to memory of 2100	860	Bmngqdpj.exe	93
PID 860 wrote to memory of 2100	860	Bmngqdpj.exe	93
PID 2100 wrote to memory of 4556	2100	Bjagjhnc.exe	94
PID 2100 wrote to memory of 4556	2100	Bjagjhnc.exe	94
PID 2100 wrote to memory of 4556	2100	Bjagjhnc.exe	94
PID 4556 wrote to memory of 1632	4556	Bcjlcn32.exe	95
PID 4556 wrote to memory of 1632	4556	Bcjlcn32.exe	95
PID 4556 wrote to memory of 1632	4556	Bcjlcn32.exe	95
PID 1632 wrote to memory of 2468	1632	Beihma32.exe	96
PID 1632 wrote to memory of 2468	1632	Beihma32.exe	96
PID 1632 wrote to memory of 2468	1632	Beihma32.exe	96
PID 2468 wrote to memory of 3716	2468	Bnbmefbg.exe	97
PID 2468 wrote to memory of 3716	2468	Bnbmefbg.exe	97
PID 2468 wrote to memory of 3716	2468	Bnbmefbg.exe	97
PID 3716 wrote to memory of 1828	3716	Bapiabak.exe	98
PID 3716 wrote to memory of 1828	3716	Bapiabak.exe	98
PID 3716 wrote to memory of 1828	3716	Bapiabak.exe	98
PID 1828 wrote to memory of 3856	1828	Cdfkolkf.exe	99
PID 1828 wrote to memory of 3856	1828	Cdfkolkf.exe	99
PID 1828 wrote to memory of 3856	1828	Cdfkolkf.exe	99
PID 3856 wrote to memory of 4412	3856	Cdhhdlid.exe	100
PID 3856 wrote to memory of 4412	3856	Cdhhdlid.exe	100
PID 3856 wrote to memory of 4412	3856	Cdhhdlid.exe	100
PID 4412 wrote to memory of 3124	4412	Cmqmma32.exe	101
PID 4412 wrote to memory of 3124	4412	Cmqmma32.exe	101
PID 4412 wrote to memory of 3124	4412	Cmqmma32.exe	101
PID 3124 wrote to memory of 3988	3124	Cegdnopg.exe	102
PID 3124 wrote to memory of 3988	3124	Cegdnopg.exe	102
PID 3124 wrote to memory of 3988	3124	Cegdnopg.exe	102
PID 3988 wrote to memory of 4224	3988	Dfiafg32.exe	103
PID 3988 wrote to memory of 4224	3988	Dfiafg32.exe	103
PID 3988 wrote to memory of 4224	3988	Dfiafg32.exe	103
PID 4224 wrote to memory of 1128	4224	Dejacond.exe	104
PID 4224 wrote to memory of 1128	4224	Dejacond.exe	104
PID 4224 wrote to memory of 1128	4224	Dejacond.exe	104
PID 1128 wrote to memory of 2860	1128	Dhkjej32.exe	105

C:\Users\Admin\AppData\Local\Temp\75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe
"C:\Users\Admin\AppData\Local\Temp\75654951e467094a1b95b311f09873a02f22fff7ad6e7644d20734b4ca24e018N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\SysWOW64\Anogiicl.exe
  C:\Windows\system32\Anogiicl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\Afjlnk32.exe
    C:\Windows\system32\Afjlnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4092
  - - C:\Windows\SysWOW64\Anadoi32.exe
      C:\Windows\system32\Anadoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
      - C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4792
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1128
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2860
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 408
        27⤵
        Program crash
        
        PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3728 -ip 3728
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
464KB

MD5
56f2d2a6371dedaae61decf323aa974d

SHA1
662e99ac8795aab1510147e2d04611e4fdd4922c

SHA256
1dc2e0e44a70f4252217ad6173a7975b0d37ce247d19783352b877edaa57c519

SHA512
9568bbbd76dabe3f4387dd5e6993a55b576a83fcb551e10fc6af976c1b813be9b8c0d4df69d8e5fc51f002dd1e70e0085bc7465fc03e92c4677ee93722e8bdfa

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
464KB

MD5
f12deb15ddc62c70936567b615a5473b

SHA1
7aa6fb984e37c34960badfb6b699b6b31719d98b

SHA256
c6ff05876026c07abee9262a0eeda25cc8c944f4e348c245d32d4456bca78eca

SHA512
2254f7d4269942657dc2c43cbb5679c9a676d98a1288a448b23ad55b2de7528dff443072775fdd22c33e728a4c5dffdc92da403a03cb2a9695b76f49db6b0271

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
464KB

MD5
cfeeb66f470a395e0d67b1cad95be6b7

SHA1
b93940027d2b0be5585d2aeeb70e58f4b64ec471

SHA256
67c2f23d41e21761c9a967fdc35cfd44924718f7e04e186484b65fa7936dfa92

SHA512
214872fe9a05f21919362d4d427607b600e308c45b8c2b543735b12e410abe8ebc87c99a2f7e2aa7e73271b1a31e8cac687cbaa0c3016205eb15c5a6302828db

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
464KB

MD5
9cd095414682d79c9e583ace35566381

SHA1
43754a0dfa9467583dad7d99d694e4ddb1919a5e

SHA256
5dfd7be7e2f7e7e627bec727670e8b6b633eee8b0d33f020b8191c83dcbfbe95

SHA512
6937a6647e0f98d84cdf5ad79d768a9b6c19204240a6b19bd2fd58f5a4c2674fffceac7449a146a7c2dffa255f8e9a2015b1752ab19009a3fa88cb4f3317d1e3

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
464KB

MD5
b543da0934f2a640c10063772b016a48

SHA1
00752fb2a3d2e75f37104971dbe1797a6d0ee538

SHA256
807e8c23adeebc55a210acf78cba60057b695600d10545216fc998d792e8f648

SHA512
5d8f3dae8badf926ed6810dc35250039310368d3a474d8379aaabb4a94717389e46dabfb291a0c661ad3af8a813a6b9a5199393b372bcab6f359ab4382012ec9

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
464KB

MD5
fba1796c51ce0995e87879a0f0082a7b

SHA1
7d66856fdc29e0965e4395dbed6b123e782f632c

SHA256
1ebd558e16a369f17e8e3919875d20d7bf45406e752e4ae05895b9adabe07b87

SHA512
d9fc4f267528f4ee7ea33986759b85733bc02d00ae79a8bd891734348158807417148cedbaa89116729c8b5c44490b43c6b5b37471630c94c30a33831cc0d422

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
464KB

MD5
f6d2e083969efff74cb6388b013ad183

SHA1
c655c1acdb01075662de5359854076638c2c936f

SHA256
6c193df481d3499951313af49c857b840a9a64adcc0cdc8ad948bd3c564f52c4

SHA512
4e247911556e6761888e51d8a646faba9ba8cc57ca74f40a883be6095aba4cb3d0d06f7311daf0af370d1dfeb4b3810dd20cfab0fc3430ac621f224a3ad10e99

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
464KB

MD5
dd83bbd35c735724934ca80d9987ac0d

SHA1
09ec0465a3203b102467f032f2836ec7b5fe637d

SHA256
61e69b20fc9fc9124400e2601a38d234bc1d7b3dc3b62246be6457c1d50c6767

SHA512
f514a1fbf9a1e05a9f9e0f4b2e8d50bbb5477385bf002aeca32cdace6f0c3abc0ae44c1183ad8b84f40d9da509dbfccc53050dc4d2b3cb86436e46482bfca469

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
464KB

MD5
0d4a1a1ae2d9a704c31241fe15d987f1

SHA1
24016807657199dca3aa7b8760bfcd867ad03296

SHA256
cfd605f12173dce8b12999e32958658a9f60bcb37f2f25d7bf4b2469672368cf

SHA512
0ff2e596594f6ce781d27e04a0ddecc74d1355762bb2a153537c4ae8e386b4f508469ab54426a6c2dd9f14b732ca64849fd1c053927e2eea3aaad0d2fe44ef76

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
464KB

MD5
6a2c1dbdc669c8ecf2128675e9d6a2f8

SHA1
c543a152b50123dc1839c76354d0b102e21c3a85

SHA256
83533bd54277e6059be06b851e635acad1059cd9d3ccbbcc5dae0e9554742827

SHA512
6062b4f0023b08b827a281eab9e7c7b466eaf16bab2b5a650cd73d491175d68975f640b041b01a8c358faf9310b6bda07d4c1c171229002b861f304a56235761

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
464KB

MD5
0126e90daa357172a1d926fe17520567

SHA1
12d5de7eed68dcf6a6baf948217007840a798420

SHA256
d98cc7149dfe0c8a8eb921ce11a91e211efb8fe1c65b4fc4805e75bc8eb20672

SHA512
7e3dec69060cc3914a0c9dd5fddecd4f35fc112ab70adb9dec68c5d908ff8594fe5ef2726c303b6083485cb63f1f89139ffbaab8257ef30b8e72973927e6c1b4

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
464KB

MD5
27009e7413903d5bdfb4af2a2cba3691

SHA1
23ac2a7b7f5688e1c0f94ff51b50cd3449b19ce9

SHA256
b2801aa35810282bda083eeed0f187bccaa9d125d1a708644d628e5449ada039

SHA512
6b2d0e965e71dbf4d9a9fffcc700354d33446cb032abd594f6bf4343c0ab0ea96902ff3b50819cff298094b72970ba6ddc1f2563c1bf560ee7ef0e979b11f669

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
464KB

MD5
dc2ba06cbc2d22eecd6f13596807f4f0

SHA1
19d8804fcb688025e433a1724216656cc3d4e00e

SHA256
4055aeb956215f535b26e97791d1b028264c5736953a26872b7e769fe92c1d6a

SHA512
ee1785830ef1c78a2cd8f068a633d05112397acdbc4dd55404e5b8a786bd775ccf22e0fb0c85321c097e5f29c37f24723807a4ca130b0aedc6b251bd41297bb6

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
464KB

MD5
ce8bb6967b7783c2b191533ec97329f8

SHA1
426c601775fdbe995ab4b4b2f8941a9f283b808b

SHA256
e6fd9b19ea38728e556a222a4f1615b735ede6e3fadf9cca8019e0a7e9cdffa5

SHA512
612f12407c2a5469e5c86cfba6fad737c6791d4e9f01d736dd4a762bf6916b863b77e05bbf7606e8dd522f13d778c60d34524ddff7961eecb139a823beef952b

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
464KB

MD5
4b385cfadf4b87b8dfa3b39e732d5eb2

SHA1
624a61daff428c8d8956545f8b1b978863577b2f

SHA256
0f7a4d354473874159752340250571ce1ad0d6119b0cb0cf92d310fc6628f3ac

SHA512
68bc2a2bbae9d986c1b62617ae98bc29a71d0e2b3355c395b0c2e6c0fb7ca814a7c9d0092b076e36f0816a6328261f5e3a249a828e6407c529ea3e8d5b93d25d

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
464KB

MD5
29e2bdf0b11d207e882deb4d8f6fbb35

SHA1
964c994eb622e81124a0980b8bc6c7ea4a4d0b3f

SHA256
d795652db7e433707b613df177cac0554fa402a9e3d12040ec0459599ddf2ba9

SHA512
1266e56b359ea7aef751fe343fbacf1671830ff4fd0298c9996994bf26d01bb2701744f517a269b62c2780d1dbe999431645c25252ec39d4b3451efffa933ed0

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
464KB

MD5
f55aa5e43b8da314a47501d60ff73150

SHA1
81ea8334c2f67f58f6c4d89d4282329e777584f7

SHA256
d9d650d142df8805ea0f7af17b7798cc6ed90f39f753d6e42029505e2965dfdc

SHA512
eab1fe46b4ef952f2524a52f8897e60ee176415fbe1d813d71e3fbaed2a715e8f938b509be30be7acb20bdc5609406781a608e7599fabd290d5d2d7da1810b3d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
464KB

MD5
5ae2a8d1a13f854bd7945a80cc83f59e

SHA1
bf72f4e25af88eb09f8b42329fc219052de87e64

SHA256
ceb16efdfabe3c53860b4e0fdda73c3e7d955c811f6ec41f43137066acd48bd7

SHA512
0b415692585f774575c7bf5a481c1ded4c1d019bafccc20287654acf84838edf2a7ef1672eda49822e27acb50201c34a6597e572f2740fbfd252a3105e2c8a7b

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
464KB

MD5
10f0c9ec6efa0ae230453141725ce317

SHA1
075fea2d2794cd08bae027d088032d2d3cd7bd92

SHA256
f411fc451f3ad3baef904a47902c48703cc1365ec5b21fd62fd5de62d45c34f0

SHA512
4d1cdfd63aecceb3ec4ac0b3d92c7837b1f1e54b30901d0d108ebafcb8a2805c53951c224df36ec53b25c1ecba48fd0e47beee63bc4d0e64191f75bd59582c17

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
464KB

MD5
1e4eb0c34af35e070bc04c52c5f25e8c

SHA1
7eb7f2d0154d43dd59c205759d385fffdacf1d27

SHA256
4d6df285efc9f94e5974487150c58bbab65176a366962c9fb49183c3705b3cc3

SHA512
7dcd62b228d873a5b3a764a3b802e9480f509586a4bedc30958a3fba1a70256a3d3b783ce1f38f6e98f92a3de6403f0049c6126bbe646c6203bffb5e89f9d236

Download Submit
C:\Windows\SysWOW64\Cmqmma32.exe

Filesize
464KB

MD5
f5267510c656d1167cd15ad2bd169086

SHA1
a73c78a7ebd6a1459dcc4c0e2bcaec2baa52dd37

SHA256
c41e107caf676384ad5dd11aa9c0014f88ce23655d5171eba29ae60eec1d610c

SHA512
9399e2836b088c1570f8b52fe7c034749ae2eb5e4f9e723b59ccd46dc77fccd06658e79afd1e2a5edd9d5d03d88fc692c9a81bd555a2e18e27b37cce85fd1dd1

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
464KB

MD5
48e39631f15cc3c960f4d392fbceaebc

SHA1
dd2b1385fdc974d18e06a7cea8e541c32f70f4fe

SHA256
c214a65af88e17a9b3814078809306a0b11d51ca23c6c39b16142038cc95ea49

SHA512
ffefb1e8ddc5a9f3a9e6622240a651769327c401f745bb460012668f66cea0635b102bf8f872f7aecc645756329b096c345cf2766c081daeeb06444327ad71a7

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
464KB

MD5
c93e81cfb137fc83034addb2dd6e10d8

SHA1
54472c03fa8838ec0537171d42444e1d35ef07ae

SHA256
d4109cc17c60b3336210b53f02f4ce119c9737f014af3188499e473f7934622e

SHA512
88fd9438f7c2806d0319b0544341ea4027eb496337e98bd9632737777d97b86853808d7785e6f286841469e415c51ab3c8fe47678c530b5da8676a0f4e5a9f8f

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
464KB

MD5
cc1d9bfcca765b8f338996a078ff4743

SHA1
eca8adb4115fbe2d49faf29ae54fe1920bd1b0be

SHA256
59ecbe1fb76fce60e909e9a11ab09530b7ebe3f7efc5cfde132cef8eaccb6ae3

SHA512
37ef40a4eb6ec2e9e3b43b63af0db0bc1746760f7435d5d56bcdb6da855f2308500a66a977677bc1a4cc1bd7fd28f5e34c04a997cad78da60dd0d2ccb70dbd27

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
464KB

MD5
6947a165a730dff9d1a8fdfb1cf65d0a

SHA1
e2a78709c544c65f72cac3ef7ef8e26a1b908984

SHA256
fafe104938a2491dccee422cc64dc0a62bb0a0b713edad695e12849f8a953258

SHA512
3bc95a3b29c8f6282dfc9fe2f3d2ed09dc9b29acb5c7f450e78ad7fba28d324722b83cc134a6e9d3b6def0818e295c9f123fbd74e199bfe76ee017f11ea83260

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
464KB

MD5
511c94af58a06eeffa972fd0e44423ae

SHA1
cbfcc9e7105b1426fd63799554c25ce81f45dee1

SHA256
69fa4c3f9d2737f3d3c5a32419ae3f1c040f008f29b0a75ed3293856d51efbaa

SHA512
efe1dffce343328e82680dae16309f16c1b2a1a961cd325918539d8fbe420ece8d0630b5049917d1f4a5db8f513e6725e39f61da1bb512289072a9f5b62561f9

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
464KB

MD5
142cf66d955ddd10eed6eaa7e76264ab

SHA1
fc72ebce9f646f02f5a212b24c1749192c1013f3

SHA256
c06a83ab82e4021934880879c6dafc687dd12b9320fdc61b4aa9d5a80772f9e5

SHA512
e077e425d830994fcc0bbd2c662af4f3a4b3bd2325fc9812e3aa2bb95ac7a12a2e8c14f9879296b7f0e764ae20a29a8836547635d26ee87b574196c14be73fba

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
464KB

MD5
4c6e750faf53717165ea33f25a5a2138

SHA1
ba489077a7d986b72030593ba4b1f0285027f65a

SHA256
16cdf67ce96ed7b8b01e0180d5b1c2eb613888d69694baf161a82208c59094e0

SHA512
e14af4667008f61173145511e28afbed39af6318f43eee05c78601e9a611408888f0fef7d60c0fc46e5b6ca21d773d32c02bce33f730b7bb1f003d6d9f24a300

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
464KB

MD5
27cc569abfc3b53aa468c9fb65601a73

SHA1
cd3a934bb6aa93018abf28a27988af1e158e0756

SHA256
6733ed4429d60a07e365244970f194b8291eb2a241f5b753582292a95cc60244

SHA512
9313af12d7d506b4894880bd2162202f91747ab451c3062c80d56b6ecf0c4a34316307a5440bf529a6e3a5cd595a39dd208c6d0b8e639a11b74d7de1dfc51d32

Download Submit
C:\Windows\SysWOW64\Hpoddikd.dll

Filesize
7KB

MD5
5fb29db5e68efc3d43416bc5c6ec68f5

SHA1
c2a0bdc6f86b7c449555f877ae3bb2cd1b1a2e3b

SHA256
465a3811269fd6d49c5cd7307964450220cdaaa2d4ed1f155f4d4ef45b70f369

SHA512
05613b962832887f575d32150e00993bdd870c4298721cf8be5d29b82b7f7fd6b2111ddbc7d8b72242a819a34ef28f5d13f8264684a5012aaa18bc9e3266e04d

Download Submit
memory/652-64-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/652-236-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/860-234-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/860-71-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1128-210-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1128-168-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1248-246-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1248-28-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1516-252-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1600-40-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1600-242-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1632-228-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1632-95-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1828-119-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1828-222-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2036-204-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2036-191-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2100-232-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2100-79-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2468-104-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2468-226-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2860-176-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2860-208-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3020-240-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3020-47-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3124-144-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3124-216-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3384-183-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3384-206-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3716-111-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3716-224-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3728-199-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3728-203-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3856-127-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3856-220-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3972-244-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3972-32-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3988-214-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3988-152-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4092-20-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4092-248-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4224-212-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4224-159-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4412-218-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4412-141-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4424-250-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4424-8-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4556-88-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4556-230-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4792-55-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/4792-238-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads