a1f4dd107527263b875e4c88c8091d9bd82ccb6ffde8c94cb84a64ecb960c885

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Size

8.3MB
MD5

5ab6d62d7d30c2253402d0b3f55f5cb0
SHA1

1973a5a0aaa4f3d8a1079a114c926e8591458bee
SHA256

a1f4dd107527263b875e4c88c8091d9bd82ccb6ffde8c94cb84a64ecb960c885
SHA512

e90c0440c1b8850cd7ea0f8eecf64704e742ebd56f03b484cbc582341d2ffea53081ac31d016d9ad5a95db21058ecb9fd0b89faef6bfcdb4c8d84308aec1402c
SSDEEP

24576:80CM7CMm04rCMgCM7CMEXsCMgCM7CMm04rCMgCM7CMeM7CMEXsCMgCM7CMm04rCo:8bfI/

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kkgahoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caifjn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opglafab.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jkhejkcq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdbbgdjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lhiakf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jkhejkcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffbdadk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmpce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbblda32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kkgahoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lhiakf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmlael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lkgngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbgfkje.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nbmaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nbmaon32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jajcdjca.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdbbgdjj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jmhnkfpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jmhnkfpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jajcdjca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkgngb32.exe

Executes dropped EXE 26 IoCs

pid	Process
1736	Jkhejkcq.exe
348	Jmhnkfpa.exe
2280	Jajcdjca.exe
2764	Kkgahoel.exe
2844	Kdbbgdjj.exe
2624	Lhiakf32.exe
2456	Lkgngb32.exe
2948	Nbmaon32.exe
2920	Opglafab.exe
1332	Bmlael32.exe
2508	Bffbdadk.exe
1504	Bqlfaj32.exe
828	Bfioia32.exe
2576	Bmbgfkje.exe
912	Ccmpce32.exe
1420	Ckhdggom.exe
2272	Cbblda32.exe
2288	Cgoelh32.exe
1516	Cpfmmf32.exe
2208	Cinafkkd.exe
2312	Cnkjnb32.exe
1932	Caifjn32.exe
684	Cgcnghpl.exe
888	Cegoqlof.exe
2524	Cgfkmgnj.exe
2404	Dpapaj32.exe

Loads dropped DLL 55 IoCs

pid	Process
2500	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
2500	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
1736	Jkhejkcq.exe
1736	Jkhejkcq.exe
348	Jmhnkfpa.exe
348	Jmhnkfpa.exe
2280	Jajcdjca.exe
2280	Jajcdjca.exe
2764	Kkgahoel.exe
2764	Kkgahoel.exe
2844	Kdbbgdjj.exe
2844	Kdbbgdjj.exe
2624	Lhiakf32.exe
2624	Lhiakf32.exe
2456	Lkgngb32.exe
2456	Lkgngb32.exe
2948	Nbmaon32.exe
2948	Nbmaon32.exe
2920	Opglafab.exe
2920	Opglafab.exe
1332	Bmlael32.exe
1332	Bmlael32.exe
2508	Bffbdadk.exe
2508	Bffbdadk.exe
1504	Bqlfaj32.exe
1504	Bqlfaj32.exe
828	Bfioia32.exe
828	Bfioia32.exe
2576	Bmbgfkje.exe
2576	Bmbgfkje.exe
912	Ccmpce32.exe
912	Ccmpce32.exe
1420	Ckhdggom.exe
1420	Ckhdggom.exe
2272	Cbblda32.exe
2272	Cbblda32.exe
2288	Cgoelh32.exe
2288	Cgoelh32.exe
1516	Cpfmmf32.exe
1516	Cpfmmf32.exe
2208	Cinafkkd.exe
2208	Cinafkkd.exe
2312	Cnkjnb32.exe
2312	Cnkjnb32.exe
1932	Caifjn32.exe
1932	Caifjn32.exe
684	Cgcnghpl.exe
684	Cgcnghpl.exe
888	Cegoqlof.exe
888	Cegoqlof.exe
2524	Cgfkmgnj.exe
2524	Cgfkmgnj.exe
1936	WerFault.exe
1936	WerFault.exe
1936	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Bfioia32.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Onaiomjo.dll	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Jmhnkfpa.exe	Jkhejkcq.exe
File created	C:\Windows\SysWOW64\Eoepingi.dll	Jajcdjca.exe
File created	C:\Windows\SysWOW64\Llechb32.dll	Kdbbgdjj.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Lhiakf32.exe	Kdbbgdjj.exe
File created	C:\Windows\SysWOW64\Bngpjpqe.dll	Opglafab.exe
File created	C:\Windows\SysWOW64\Lloeec32.dll	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cpmahlfd.dll	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Hfiocpon.dll	Nbmaon32.exe
File created	C:\Windows\SysWOW64\Bmlael32.exe	Opglafab.exe
File created	C:\Windows\SysWOW64\Bffbdadk.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Fchook32.dll	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Ednoihel.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Jkhejkcq.exe	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
File created	C:\Windows\SysWOW64\Lkgngb32.exe	Lhiakf32.exe
File opened for modification	C:\Windows\SysWOW64\Bmlael32.exe	Opglafab.exe
File opened for modification	C:\Windows\SysWOW64\Cbblda32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Iofjqboi.dll	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
File created	C:\Windows\SysWOW64\Ohbamn32.dll	Jmhnkfpa.exe
File created	C:\Windows\SysWOW64\Qpceaipi.dll	Lhiakf32.exe
File created	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbgfkje.exe	Bfioia32.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Ccmpce32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File created	C:\Windows\SysWOW64\Nloone32.dll	Cgcnghpl.exe
File opened for modification	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File created	C:\Windows\SysWOW64\Jajcdjca.exe	Jmhnkfpa.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Cgfkmgnj.exe
File created	C:\Windows\SysWOW64\Jkhejkcq.exe	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
File created	C:\Windows\SysWOW64\Kkgahoel.exe	Jajcdjca.exe
File opened for modification	C:\Windows\SysWOW64\Kkgahoel.exe	Jajcdjca.exe
File opened for modification	C:\Windows\SysWOW64\Kdbbgdjj.exe	Kkgahoel.exe
File opened for modification	C:\Windows\SysWOW64\Bffbdadk.exe	Bmlael32.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Cgoelh32.exe
File opened for modification	C:\Windows\SysWOW64\Cegoqlof.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\Cgfkmgnj.exe	Cegoqlof.exe
File opened for modification	C:\Windows\SysWOW64\Jmhnkfpa.exe	Jkhejkcq.exe
File created	C:\Windows\SysWOW64\Cgcnghpl.exe	Caifjn32.exe
File created	C:\Windows\SysWOW64\Omakjj32.dll	Caifjn32.exe
File opened for modification	C:\Windows\SysWOW64\Lkgngb32.exe	Lhiakf32.exe
File opened for modification	C:\Windows\SysWOW64\Nbmaon32.exe	Lkgngb32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bffbdadk.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Opglafab.exe	Nbmaon32.exe
File created	C:\Windows\SysWOW64\Cgoelh32.exe	Cbblda32.exe
File opened for modification	C:\Windows\SysWOW64\Ccmpce32.exe	Bmbgfkje.exe
File created	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Caifjn32.exe	Cnkjnb32.exe
File created	C:\Windows\SysWOW64\Cegoqlof.exe	Cgcnghpl.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Moohhbcf.dll	Lkgngb32.exe
File created	C:\Windows\SysWOW64\Alecllfh.dll	Bmlael32.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bffbdadk.exe
File opened for modification	C:\Windows\SysWOW64\Bfioia32.exe	Bqlfaj32.exe

Program crash 1 IoCs

pid	pid_target	Process
1936	2404	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll"	Cegoqlof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jmhnkfpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll"	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgoelh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgfkmgnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jkhejkcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Opglafab.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfioia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbamn32.dll"	Jmhnkfpa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lhiakf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nbmaon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cgfkmgnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdbbgdjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Lhiakf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmpce32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofjqboi.dll"	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jajcdjca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll"	Lhiakf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbblda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cgcnghpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegoqlof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kdbbgdjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbblda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moohhbcf.dll"	Lkgngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfioia32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jajcdjca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Lkgngb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opglafab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffbdadk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll"	Bmbgfkje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Cgoelh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jkhejkcq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kkgahoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejloak32.dll"	Jkhejkcq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kkgahoel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll"	Nbmaon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caifjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll"	Cgcnghpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoepingi.dll"	Jajcdjca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmlael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmmf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 1736	2500	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe	30
PID 2500 wrote to memory of 1736	2500	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe	30
PID 2500 wrote to memory of 1736	2500	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe	30
PID 2500 wrote to memory of 1736	2500	5ab6d62d7d30c2253402d0b3f55f5cb0N.exe	30
PID 1736 wrote to memory of 348	1736	Jkhejkcq.exe	31
PID 1736 wrote to memory of 348	1736	Jkhejkcq.exe	31
PID 1736 wrote to memory of 348	1736	Jkhejkcq.exe	31
PID 1736 wrote to memory of 348	1736	Jkhejkcq.exe	31
PID 348 wrote to memory of 2280	348	Jmhnkfpa.exe	32
PID 348 wrote to memory of 2280	348	Jmhnkfpa.exe	32
PID 348 wrote to memory of 2280	348	Jmhnkfpa.exe	32
PID 348 wrote to memory of 2280	348	Jmhnkfpa.exe	32
PID 2280 wrote to memory of 2764	2280	Jajcdjca.exe	34
PID 2280 wrote to memory of 2764	2280	Jajcdjca.exe	34
PID 2280 wrote to memory of 2764	2280	Jajcdjca.exe	34
PID 2280 wrote to memory of 2764	2280	Jajcdjca.exe	34
PID 2764 wrote to memory of 2844	2764	Kkgahoel.exe	35
PID 2764 wrote to memory of 2844	2764	Kkgahoel.exe	35
PID 2764 wrote to memory of 2844	2764	Kkgahoel.exe	35
PID 2764 wrote to memory of 2844	2764	Kkgahoel.exe	35
PID 2844 wrote to memory of 2624	2844	Kdbbgdjj.exe	36
PID 2844 wrote to memory of 2624	2844	Kdbbgdjj.exe	36
PID 2844 wrote to memory of 2624	2844	Kdbbgdjj.exe	36
PID 2844 wrote to memory of 2624	2844	Kdbbgdjj.exe	36
PID 2624 wrote to memory of 2456	2624	Lhiakf32.exe	37
PID 2624 wrote to memory of 2456	2624	Lhiakf32.exe	37
PID 2624 wrote to memory of 2456	2624	Lhiakf32.exe	37
PID 2624 wrote to memory of 2456	2624	Lhiakf32.exe	37
PID 2456 wrote to memory of 2948	2456	Lkgngb32.exe	38
PID 2456 wrote to memory of 2948	2456	Lkgngb32.exe	38
PID 2456 wrote to memory of 2948	2456	Lkgngb32.exe	38
PID 2456 wrote to memory of 2948	2456	Lkgngb32.exe	38
PID 2948 wrote to memory of 2920	2948	Nbmaon32.exe	39
PID 2948 wrote to memory of 2920	2948	Nbmaon32.exe	39
PID 2948 wrote to memory of 2920	2948	Nbmaon32.exe	39
PID 2948 wrote to memory of 2920	2948	Nbmaon32.exe	39
PID 2920 wrote to memory of 1332	2920	Opglafab.exe	40
PID 2920 wrote to memory of 1332	2920	Opglafab.exe	40
PID 2920 wrote to memory of 1332	2920	Opglafab.exe	40
PID 2920 wrote to memory of 1332	2920	Opglafab.exe	40
PID 1332 wrote to memory of 2508	1332	Bmlael32.exe	41
PID 1332 wrote to memory of 2508	1332	Bmlael32.exe	41
PID 1332 wrote to memory of 2508	1332	Bmlael32.exe	41
PID 1332 wrote to memory of 2508	1332	Bmlael32.exe	41
PID 2508 wrote to memory of 1504	2508	Bffbdadk.exe	42
PID 2508 wrote to memory of 1504	2508	Bffbdadk.exe	42
PID 2508 wrote to memory of 1504	2508	Bffbdadk.exe	42
PID 2508 wrote to memory of 1504	2508	Bffbdadk.exe	42
PID 1504 wrote to memory of 828	1504	Bqlfaj32.exe	43
PID 1504 wrote to memory of 828	1504	Bqlfaj32.exe	43
PID 1504 wrote to memory of 828	1504	Bqlfaj32.exe	43
PID 1504 wrote to memory of 828	1504	Bqlfaj32.exe	43
PID 828 wrote to memory of 2576	828	Bfioia32.exe	44
PID 828 wrote to memory of 2576	828	Bfioia32.exe	44
PID 828 wrote to memory of 2576	828	Bfioia32.exe	44
PID 828 wrote to memory of 2576	828	Bfioia32.exe	44
PID 2576 wrote to memory of 912	2576	Bmbgfkje.exe	45
PID 2576 wrote to memory of 912	2576	Bmbgfkje.exe	45
PID 2576 wrote to memory of 912	2576	Bmbgfkje.exe	45
PID 2576 wrote to memory of 912	2576	Bmbgfkje.exe	45
PID 912 wrote to memory of 1420	912	Ccmpce32.exe	46
PID 912 wrote to memory of 1420	912	Ccmpce32.exe	46
PID 912 wrote to memory of 1420	912	Ccmpce32.exe	46
PID 912 wrote to memory of 1420	912	Ccmpce32.exe	46

C:\Users\Admin\AppData\Local\Temp\5ab6d62d7d30c2253402d0b3f55f5cb0N.exe
"C:\Users\Admin\AppData\Local\Temp\5ab6d62d7d30c2253402d0b3f55f5cb0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\Jkhejkcq.exe
  C:\Windows\system32\Jkhejkcq.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\Jmhnkfpa.exe
    C:\Windows\system32\Jmhnkfpa.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\Jajcdjca.exe
      C:\Windows\system32\Jajcdjca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\SysWOW64\Kkgahoel.exe
        
        C:\Windows\system32\Kkgahoel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\Kdbbgdjj.exe
        
        C:\Windows\system32\Kdbbgdjj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Lhiakf32.exe
        
        C:\Windows\system32\Lhiakf32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\SysWOW64\Lkgngb32.exe
        
        C:\Windows\system32\Lkgngb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
        
        C:\Windows\SysWOW64\Nbmaon32.exe
        
        C:\Windows\system32\Nbmaon32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Opglafab.exe
        
        C:\Windows\system32\Opglafab.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Bmlael32.exe
        
        C:\Windows\system32\Bmlael32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Bffbdadk.exe
        
        C:\Windows\system32\Bffbdadk.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Bfioia32.exe
        
        C:\Windows\system32\Bfioia32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Bmbgfkje.exe
        
        C:\Windows\system32\Bmbgfkje.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Ccmpce32.exe
        
        C:\Windows\system32\Ccmpce32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\Cbblda32.exe
        
        C:\Windows\system32\Cbblda32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Cgoelh32.exe
        
        C:\Windows\system32\Cgoelh32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2288
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Caifjn32.exe
        
        C:\Windows\system32\Caifjn32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1932
        
        C:\Windows\SysWOW64\Cgcnghpl.exe
        
        C:\Windows\system32\Cgcnghpl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:684
        
        C:\Windows\SysWOW64\Cegoqlof.exe
        
        C:\Windows\system32\Cegoqlof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\Cgfkmgnj.exe
        
        C:\Windows\system32\Cgfkmgnj.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2404 -s 144
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:1936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bffbdadk.exe

Filesize
8.3MB

MD5
ff51dfd120fd63837ec817e863ed573b

SHA1
8c9fe890ab56ef52e6f17101a645251b4a4b62e3

SHA256
a4da052d7a7432c94b5be3863baf267a75e457d966b042fdc696a52be33489f9

SHA512
d263961a5103c737e33f947ffa4b153eea08fe0aadd835187d943940f628782b3bc5a5b28aae76a86f77ac553fb45111351e6e39d016ebf6fdb4a60ab7e43b8e

Download Submit
C:\Windows\SysWOW64\Bfioia32.exe

Filesize
8.3MB

MD5
d82fa60866c1ea7e871d4aa8a5cf1792

SHA1
cfb777a527b2aef6a6f63999edcfa6e784e6e8c5

SHA256
0a3190543f7f96627eb318c09dbe6ba2a0f8c0719802f1f943a0eb60275f04ea

SHA512
b3272ef6a06db7139b6e3fd4ba88eeb704dd23560b6e12eb645ea820d3560f94973161d64fb9c7825337bbb57ca0c4f4df269dfd11cb2c1e204ce32c20678207

Download Submit
C:\Windows\SysWOW64\Bmbgfkje.exe

Filesize
8.3MB

MD5
e0911956870cf114493c2bcae91b5b17

SHA1
85ec200b5ea51ca4db91f66441e29fbae7a19ca0

SHA256
db35f25705bdad0b777796e5232735943c9b0217b2be9d6fe773592c456eba92

SHA512
487402db6d0e81825f62aa595eaa063d4e207c897e53f95f276bc006542558cda30e930c056ae501c7d48b68b80ba5b577b28e2f29805bbd4f3c141a69b9ebee

Download Submit
C:\Windows\SysWOW64\Bmlael32.exe

Filesize
8.3MB

MD5
6482201ebec3d2891da61f7880fac8bc

SHA1
1d8f0bbdb31e26f63504bceee8343d4c0f2cfcd3

SHA256
9e688cc91b86c5212623a4bb0debfc4cab777f1ea64ef7ccfce5a9bc3489e06f

SHA512
58014f05d902130e8d35152f1b4282ec2b2a178b63976bb15a7b8caf11bebc17a1285843251f7a33b02af6e0676818d2256b9eb33575748909eedc143c13ae81

Download Submit
C:\Windows\SysWOW64\Bqlfaj32.exe

Filesize
8.3MB

MD5
a503d030d841ebaa75643d6e9f3a56d9

SHA1
0f8ef280375e69825887102b279f361083317b03

SHA256
8933cdde1378f3dfeacad1b577b60366eb4bff2d3271e85b8e7f245ef28d3550

SHA512
e4895f0e43fe31e7031ec46da6e0aa846e7007e69d316d02e6d3f4a7df7b597aff3cb67f98268f011b2e38503f9ec95941753f41566ac082a24db6cf095c393c

Download Submit
C:\Windows\SysWOW64\Caifjn32.exe

Filesize
8.3MB

MD5
9dd305395b12cf0873c4bbcc9f94f6e3

SHA1
54ff05992ec051a37cd1d53f29d4073f10b16667

SHA256
e58f0477208857ae1e1589da985646e558d22872dc2385728ce07b4e1d88114d

SHA512
94ef3e2018c2a7fce0e8c4d024d011572fd4a5baa0b100ad3254700a8dae69b916f2721252e660f34e7195a5207b12d4167ed45ebaf524108c7aa4ec6e562856

Download Submit
C:\Windows\SysWOW64\Cbblda32.exe

Filesize
8.3MB

MD5
497d90636027ed573ad0c6e80d835199

SHA1
622fd7079f5ed99b763233d829c6f6d66bee09d8

SHA256
214ebdbe3bff907d4e4bae82de0922929c4a6674cf69c707111a2db31f051cf3

SHA512
4987cb1a5dd389c979ec593aca13bfb7ffd5fd85166f4a3d57c838b4f62ce6053634a876e1b11b794f336c960f2945d78ce630df54c52f4ccaa2727152aae160

Download Submit
C:\Windows\SysWOW64\Ccmpce32.exe

Filesize
8.3MB

MD5
d55103c6b1c4a200d7fc6504d0a3d128

SHA1
7843a7960cf590e2386f8376db90981e26bdf701

SHA256
b3c26d4a895681739983afc67a9ad52b244fb0ff0b51145c0e1926dfbff380ef

SHA512
e6c032e5cb2352f13316ded9958601adf20462c3c40f208abe4d6f34c436c95b998371c7c01d4b11cdd8adaf38de6a90bd517d6cc7a1d43d156be7ef214cb57e

Download Submit
C:\Windows\SysWOW64\Cegoqlof.exe

Filesize
8.3MB

MD5
acf28d7b7f61c85d2b7f0110b16321b8

SHA1
4cd480e65743f771b3e2632cf5d2b23c5d311410

SHA256
53d0d36459e10ce98aa9378d33b6f9a67cde868ef75a9bfe3117b3cf5e6da0ac

SHA512
ecdeb7f473645314e23c5124b639b78de7517cdebf5782712905f05f36d85fba36f372a6cf854734308fd50a7cf650af87a13c5b066ba8c78fb3a8b75f4fd248

Download Submit
C:\Windows\SysWOW64\Cgcnghpl.exe

Filesize
8.3MB

MD5
0f0d7b69b9fe697bddd10859aa39a5f9

SHA1
e1c831de67cc56b888c8a109d477f0ba5cd42975

SHA256
520476cdf32e49acac2f3ff227c0999f2289eb1f5ca74ef47d1dabb79479d504

SHA512
3e2c98bfa09601ab27a51848e1ccbada9a04c66496b9e05a11e73ad9086dc2617fc6c9821e7cb3e3bb8acd87a3d1fd6a55cc8ff779ecaf4377ebaeca84c61fbc

Download Submit
C:\Windows\SysWOW64\Cgfkmgnj.exe

Filesize
8.3MB

MD5
ed258259de2085d7fc8ade742671f9d1

SHA1
d2767c3ba71d9184b84765595d5536bea9632211

SHA256
f47f7354c2a7ebc1d6fcac44eaee44c1790684a97862ca1cf4dbf9a9757b9d33

SHA512
6cf9c90838afd361d92a5b62075ecc3b054bdf9a09e8f6d8e5575ed77e1560db46e36e1d65c2e6af9d1ffaa4c6cc947e7e1660727798f1501fb363d6bfd6e866

Download Submit
C:\Windows\SysWOW64\Cgoelh32.exe

Filesize
8.3MB

MD5
45d23147c90b980e0911715d0a937fef

SHA1
0bb6add2f1699272c4d1dfcc6f64f2170a8ec7cc

SHA256
d7c75a5651a45a0d724071bc1f3b62b0141a980fbbbee312a32ebedb2cd9c2a3

SHA512
91709d3a69cd9d3e6055610896a4e9fedfa7eb4423d3911606a2923e2394f31ec673f4a8776187aec9fbbd7f0179ef90002acaf40ad9a5518882d919b3e0ac43

Download Submit
C:\Windows\SysWOW64\Cinafkkd.exe

Filesize
8.3MB

MD5
b8d975ee8f3630577babf89e3913ffd3

SHA1
f82546e988c4bb915ce73f49f4e52759f12e5111

SHA256
166a55a50e6d678cf35203fdd7e5cd98e02a205cf7a220a9c5eb8931b9581d00

SHA512
e05963b9e7e59f7c962b1098dbdab4878c99edd300765c7c5db8adfe5ffb37b5184fa176fe5896cc98a0368d95c64f2db3be28781ece12bd28b16d735fe11624

Download Submit
C:\Windows\SysWOW64\Ckhdggom.exe

Filesize
8.3MB

MD5
94e425fbe578657a3de0f593199c7e4c

SHA1
b7bf94e7f30d2af865c11c8844d7e266af89170e

SHA256
d3f92b2ea46e1f06fb0d6df13a21199449f82a32c6e40996fbac8321a8967b4e

SHA512
efd0610fecd3356623f77b839fc0b5cf66c133a61799b7750917ea59905c5d31a3ce8678279f7c5e0ee48fe4375d45f410c665d893a7daf210f2f2abfc2e92d9

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
8.3MB

MD5
56bdde67deecde8c42ec8602cc3fc596

SHA1
24ded05b77c45152dea182e2d3e26e07cd141fa3

SHA256
38f2bfb61f4b3de49dc0e4ac6d884f4c234c22f684cb59c686b95f3f48ca35ec

SHA512
0a77c172c4af4bbcb0c30c77f5eba55f96f56aac57a29e2717323b5683ef79eec9102cbe283de052f2d51269c79cc285f0bf22c3a3954502bc2de62d02ed28e0

Download Submit
C:\Windows\SysWOW64\Cpfmmf32.exe

Filesize
8.3MB

MD5
eee546e83445a74fec4efe2f984220c0

SHA1
2cbf5fba5875afc1d6580fb542e5e723904c1775

SHA256
ff5cba6eecfec4c32faa83724be13ae5306ecb88cd8caf07118c0c01b57ab4a0

SHA512
ae14c26801b97234a8f28c9648aaa976350b8fa0ce228af8bee8ad1e885dce87e8ec291d897bd6cf4c0a7bc4940c3f127fd2d9e41f55aecad747cd2841beabef

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
8.3MB

MD5
9302ea35f9e3e2ee2e66f2008539ba82

SHA1
372a003d2195e4fab4d5b56dd2301b9d7454f7e7

SHA256
848e9b1d84a805c0396bcc8daa88da2c7d622d8d3f3597a4284856ccde3dca03

SHA512
047b6dc819cf5ed0b9757846ec7a9d09041a170b9198d3e41043b0952964592ec1638fa76844da2625c00240fc98698d48faf2aca19b68a8194b74e35760bdde

Download Submit
C:\Windows\SysWOW64\Jajcdjca.exe

Filesize
8.3MB

MD5
9368e833a03c6616728cf7f8db3d822d

SHA1
b5fe268417553aa2516e25f601026ba869c9dde2

SHA256
4171c62721442b2f71d3c74924c1fd6d16535677cc89e786084f465c0ff480a9

SHA512
e759e299a5065660a79434cf25e6f0db89c47da152ac29d913916d4340327bc2daddc005017369d8cd2b6be74122fa9a195244678eb47d65e5e853659984c73a

Download Submit
C:\Windows\SysWOW64\Jkhejkcq.exe

Filesize
8.3MB

MD5
7ac286b443e9ccebcb51d389bfdacac6

SHA1
6704a7d987cde7be0a3dc5145021d1b89da904a7

SHA256
5da6560d45a759509ff8d2b8a6100b8d6c0d463863fbea09ff637e797962ee9a

SHA512
903491d884f6d33046b602c36e36149d270834003490373ed8c0dbbe15e5184c69163268ab4cba737812a912da6fa02342c8f8f2386dfc23aad46a5f63344ad4

Download Submit
C:\Windows\SysWOW64\Kdbbgdjj.exe

Filesize
8.3MB

MD5
f4b3d2dc57f8f7fbeeed15fad15cf5de

SHA1
f82e3b67a4d6ce0acfa13e8cbe0b9bcb81837946

SHA256
f7699ecf8c6bf58c9a2b637c9a7d596bf12796f9c0a2247a59c4954ce2dbac58

SHA512
153b869f8475156369dc1ca4ed8b15a594ca4accbf8930f0a7beb1bfac0ab9e46422dc559bd9ff030752df822c4b8c2e45ac708bd46483bff2bde757fa65f47f

Download Submit
C:\Windows\SysWOW64\Lkgngb32.exe

Filesize
8.3MB

MD5
c158304fd4fae9a3e66489085bece956

SHA1
fb36fa07debb23de78af11affba3bbcc616e1c2a

SHA256
8c13e075cde25b2bd4317327861957526cbff515fe41fac96f1df59b2049dff1

SHA512
12d994bade3122f15cfecb9302e5aa2f46be1b3118d6293cd1e32e6e3252539a77ce31217a169b4e1d269dd39e6e52f1dbd4dacc0201b116d76a42d34dd55509

Download Submit
C:\Windows\SysWOW64\Nbmaon32.exe

Filesize
8.3MB

MD5
01600ee95e856dc3a0206d3a269a5f17

SHA1
34ba2508cac882ca2fd58011ab38e2bf09a426ef

SHA256
c672002bf57bd40ca014c0f405282355a0dc937748f97b4a0dbd5168793172ce

SHA512
e6ed641b2e2e6841fc455e48c7de65169a43534d4dd8876a03d844b5b87494390b8f17d71a98cb0842e3657a50f5e86ed46dd40a55938dba94ff9ebf3c4884be

Download Submit
\Windows\SysWOW64\Jmhnkfpa.exe

Filesize
8.3MB

MD5
83959a369b01de5a12a2c755d46c9729

SHA1
eac3c29f81f6b0ca0dc76a7bd8e5d06a8f40cf3b

SHA256
4bd3054eee8aa77002707d9ec8579c878d654e3932eb410788ca3c7406f46295

SHA512
63dd5f5b123dc584047a6cc1697677740387d48a28a4bb5297083e277a50c518f42586e55d0afbb6f75ec79a2aecc762f069a01ef6f6d1fc903c67c31969e9ec

Download Submit
\Windows\SysWOW64\Kkgahoel.exe

Filesize
8.3MB

MD5
0e6f97f50ab8528b135120a603157498

SHA1
eaf6f01e5a6bedce2cf1a88b8d900a8b9bbc2abb

SHA256
33c56e57abeca0507cdb6de9cf922c6ab893ab27bef95cf0cd0506507b497eeb

SHA512
87781c0cab7bc10ae7a0273afd66baca3f0036a175dbab6cd42c7b7bac7da9d7e3d1a1a9c59fe8db69403d7c0155dfccc6ab36c80cc42c5f8d19078087f74bba

Download Submit
\Windows\SysWOW64\Lhiakf32.exe

Filesize
8.3MB

MD5
8116644d956ff7385b0b7cdd95dde85f

SHA1
9c3f35c848e26ab32e36139a6f9e3f705554abd6

SHA256
9f0f827c42700bc08e868c1ea708fe329b26d7133fdcafa023421bb539ccde8a

SHA512
1157c3cab20521669f90e2938eec96316b77816c010500ab029b30c5c9107106451315d1a4d5a98b319d74d02aa6d32e929c7bd0f4a959839df27b77273ab0d8

Download Submit
\Windows\SysWOW64\Opglafab.exe

Filesize
8.3MB

MD5
ac90dce5d188317369c062462026459e

SHA1
d81c87f4d674bec319c42c2861d1902834dbefa9

SHA256
3f3f0772678e57eb70f8fd21c49c370e14cb14c693a035420b5637aa4f9d2739

SHA512
3ef6676052d5507953ec32f1abd05ffac6dd0757d8dec62753f168dd5921289f46cf659863a4e71bd1f43766ca5b300996cb06b5aad9234cb562b1ce8ab2869f

Download Submit
memory/348-327-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/348-41-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/684-294-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/684-299-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/684-348-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/684-300-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/828-338-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/828-178-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-301-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-349-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/888-315-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/888-314-0x00000000002E0000-0x0000000000311000-memory.dmp

Filesize
196KB

Download
memory/912-208-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1332-335-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1332-139-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1420-234-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/1420-221-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1420-235-0x0000000000270000-0x00000000002A1000-memory.dmp

Filesize
196KB

Download
memory/1504-165-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1504-337-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1516-265-0x00000000005D0000-0x0000000000601000-memory.dmp

Filesize
196KB

Download
memory/1516-252-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1736-28-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1736-14-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1736-27-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/1736-326-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1932-292-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/1932-283-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1932-347-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2208-269-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2208-270-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2208-272-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2272-236-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-43-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2280-328-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2288-240-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2288-343-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2288-251-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2288-250-0x0000000000260000-0x0000000000291000-memory.dmp

Filesize
196KB

Download
memory/2312-278-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/2312-279-0x0000000000440000-0x0000000000471000-memory.dmp

Filesize
196KB

Download
memory/2312-273-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-351-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2404-322-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2456-102-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2500-325-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2500-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2500-12-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/2500-11-0x0000000000310000-0x0000000000341000-memory.dmp

Filesize
196KB

Download
memory/2508-156-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-316-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2524-321-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2576-194-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2576-339-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-91-0x0000000001F70000-0x0000000001FA1000-memory.dmp

Filesize
196KB

Download
memory/2624-331-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2624-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2764-329-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2764-55-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2844-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2844-82-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2844-81-0x00000000002D0000-0x0000000000301000-memory.dmp

Filesize
196KB

Download
memory/2844-330-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2920-334-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2920-129-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-110-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-117-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download
memory/2948-333-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2948-128-0x0000000000250000-0x0000000000281000-memory.dmp

Filesize
196KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads