fe2ab02be6049f875299f0475e20b2c25718d4fd1862cfb664885472c732e00d

Analysis

max time kernel
119s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae398a6e0f8b33429da932c1c21805b0N.exe
Size

576KB
MD5

ae398a6e0f8b33429da932c1c21805b0
SHA1

9267f2d741f18d7ff407bc7d7350b946d171593d
SHA256

fe2ab02be6049f875299f0475e20b2c25718d4fd1862cfb664885472c732e00d
SHA512

772369f22478fc07407b7e7e4b7b8fd1972a60686c2b82769f46e56c8407e47e69ce3ee34aebeed0f552e288492836ae611877b18cb61469a8198fbe3c4ce106
SSDEEP

12288:J6k0UGyXu1jGG1wsGeBgRTGAzciETdqvZNemWrsiLk6mqgSgRDO:HGyXsGG1wsLUT3IipX6

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 46 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ccjoli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pkoicb32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pkoicb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Padhdm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmmf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ae398a6e0f8b33429da932c1c21805b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akfkbd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calcpm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ae398a6e0f8b33429da932c1c21805b0N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qlgkki32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Alnalh32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgllgedi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pofkha32.exe

Executes dropped EXE 23 IoCs

pid	Process
1452	Pofkha32.exe
2960	Padhdm32.exe
2744	Pkoicb32.exe
2976	Pidfdofi.exe
2912	Qppkfhlc.exe
1052	Qlgkki32.exe
2672	Accqnc32.exe
372	Afdiondb.exe
1820	Alnalh32.exe
2508	Akfkbd32.exe
2268	Aqbdkk32.exe
3028	Bgllgedi.exe
768	Bceibfgj.exe
2152	Bjdkjpkb.exe
2792	Ckhdggom.exe
1784	Cpfmmf32.exe
1748	Cnkjnb32.exe
1800	Cbffoabe.exe
1780	Cchbgi32.exe
2380	Calcpm32.exe
2320	Ccjoli32.exe
992	Dmbcen32.exe
2260	Dpapaj32.exe

Loads dropped DLL 49 IoCs

pid	Process
816	ae398a6e0f8b33429da932c1c21805b0N.exe
816	ae398a6e0f8b33429da932c1c21805b0N.exe
1452	Pofkha32.exe
1452	Pofkha32.exe
2960	Padhdm32.exe
2960	Padhdm32.exe
2744	Pkoicb32.exe
2744	Pkoicb32.exe
2976	Pidfdofi.exe
2976	Pidfdofi.exe
2912	Qppkfhlc.exe
2912	Qppkfhlc.exe
1052	Qlgkki32.exe
1052	Qlgkki32.exe
2672	Accqnc32.exe
2672	Accqnc32.exe
372	Afdiondb.exe
372	Afdiondb.exe
1820	Alnalh32.exe
1820	Alnalh32.exe
2508	Akfkbd32.exe
2508	Akfkbd32.exe
2268	Aqbdkk32.exe
2268	Aqbdkk32.exe
3028	Bgllgedi.exe
3028	Bgllgedi.exe
768	Bceibfgj.exe
768	Bceibfgj.exe
2152	Bjdkjpkb.exe
2152	Bjdkjpkb.exe
2792	Ckhdggom.exe
2792	Ckhdggom.exe
1784	Cpfmmf32.exe
1784	Cpfmmf32.exe
1748	Cnkjnb32.exe
1748	Cnkjnb32.exe
1800	Cbffoabe.exe
1800	Cbffoabe.exe
1780	Cchbgi32.exe
1780	Cchbgi32.exe
2380	Calcpm32.exe
2380	Calcpm32.exe
2320	Ccjoli32.exe
2320	Ccjoli32.exe
992	Dmbcen32.exe
992	Dmbcen32.exe
2332	WerFault.exe
2332	WerFault.exe
2332	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgllgedi.exe	Aqbdkk32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Pofkha32.exe	ae398a6e0f8b33429da932c1c21805b0N.exe
File created	C:\Windows\SysWOW64\Akfkbd32.exe	Alnalh32.exe
File created	C:\Windows\SysWOW64\Akkggpci.dll	Bgllgedi.exe
File opened for modification	C:\Windows\SysWOW64\Ckhdggom.exe	Bjdkjpkb.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Cbffoabe.exe
File created	C:\Windows\SysWOW64\Calcpm32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Kbdjfk32.dll	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Jjmeignj.dll	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Ajaclncd.dll	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Qppkfhlc.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Bgllgedi.exe	Aqbdkk32.exe
File created	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bceibfgj.exe
File opened for modification	C:\Windows\SysWOW64\Bjdkjpkb.exe	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Cnkjnb32.exe	Cpfmmf32.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Cbffoabe.exe
File opened for modification	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Fbbnekdd.dll	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Gggpgo32.dll	Alnalh32.exe
File created	C:\Windows\SysWOW64\Accqnc32.exe	Qlgkki32.exe
File opened for modification	C:\Windows\SysWOW64\Alnalh32.exe	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Aqbdkk32.exe	Akfkbd32.exe
File opened for modification	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Ccjoli32.exe
File opened for modification	C:\Windows\SysWOW64\Pkoicb32.exe	Padhdm32.exe
File created	C:\Windows\SysWOW64\Pidfdofi.exe	Pkoicb32.exe
File created	C:\Windows\SysWOW64\Alnalh32.exe	Afdiondb.exe
File created	C:\Windows\SysWOW64\Lgpgbj32.dll	Afdiondb.exe
File opened for modification	C:\Windows\SysWOW64\Bceibfgj.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Nefamd32.dll	Ckhdggom.exe
File opened for modification	C:\Windows\SysWOW64\Cnkjnb32.exe	Cpfmmf32.exe
File created	C:\Windows\SysWOW64\Ofaejacl.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Kaaded32.dll	Pkoicb32.exe
File created	C:\Windows\SysWOW64\Afdiondb.exe	Accqnc32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Incleo32.dll	Accqnc32.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Qlgkki32.exe	Qppkfhlc.exe
File created	C:\Windows\SysWOW64\Ckhdggom.exe	Bjdkjpkb.exe
File created	C:\Windows\SysWOW64\Hbocphim.dll	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Padhdm32.exe	Pofkha32.exe
File opened for modification	C:\Windows\SysWOW64\Qppkfhlc.exe	Pidfdofi.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File created	C:\Windows\SysWOW64\Fkfnnoge.dll	Padhdm32.exe
File created	C:\Windows\SysWOW64\Lbmnig32.dll	Bceibfgj.exe
File created	C:\Windows\SysWOW64\Cpfmmf32.exe	Ckhdggom.exe
File created	C:\Windows\SysWOW64\Padhdm32.exe	Pofkha32.exe
File created	C:\Windows\SysWOW64\Pkoicb32.exe	Padhdm32.exe
File created	C:\Windows\SysWOW64\Hcopgk32.dll	Qlgkki32.exe
File created	C:\Windows\SysWOW64\Bceibfgj.exe	Bgllgedi.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Ccjoli32.exe
File created	C:\Windows\SysWOW64\Pofkha32.exe	ae398a6e0f8b33429da932c1c21805b0N.exe
File created	C:\Windows\SysWOW64\Aqbdkk32.exe	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Cbffoabe.exe	Cnkjnb32.exe
File opened for modification	C:\Windows\SysWOW64\Calcpm32.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Kmhnlgkg.dll	Akfkbd32.exe
File created	C:\Windows\SysWOW64\Oqlecd32.dll	ae398a6e0f8b33429da932c1c21805b0N.exe
File created	C:\Windows\SysWOW64\Ffeganon.dll	Pofkha32.exe
File created	C:\Windows\SysWOW64\Ccjoli32.exe	Calcpm32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2332	2260	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae398a6e0f8b33429da932c1c21805b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pofkha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkoicb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pidfdofi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afdiondb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgllgedi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bceibfgj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Padhdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alnalh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckhdggom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmmf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbffoabe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accqnc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqbdkk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjdkjpkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkfhlc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qlgkki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akfkbd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkjnb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calcpm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccjoli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ae398a6e0f8b33429da932c1c21805b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Padhdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll"	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accqnc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajaclncd.dll"	Bjdkjpkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ae398a6e0f8b33429da932c1c21805b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ae398a6e0f8b33429da932c1c21805b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pkoicb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckhdggom.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkjnb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cbffoabe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Alnalh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll"	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbocphim.dll"	Cnkjnb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pofkha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Afdiondb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pidfdofi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accqnc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll"	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckhdggom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll"	Cchbgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ae398a6e0f8b33429da932c1c21805b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeganon.dll"	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Alnalh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkggpci.dll"	Bgllgedi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciohdhad.dll"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pofkha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll"	Pkoicb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll"	Pidfdofi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhnlgkg.dll"	Akfkbd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aqbdkk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	ae398a6e0f8b33429da932c1c21805b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qppkfhlc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liempneg.dll"	Cpfmmf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qlgkki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll"	Afdiondb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aqbdkk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll"	Bceibfgj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfnnoge.dll"	Padhdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Cbffoabe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calcpm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Ccjoli32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bceibfgj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjdkjpkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1452	816	ae398a6e0f8b33429da932c1c21805b0N.exe	31
PID 816 wrote to memory of 1452	816	ae398a6e0f8b33429da932c1c21805b0N.exe	31
PID 816 wrote to memory of 1452	816	ae398a6e0f8b33429da932c1c21805b0N.exe	31
PID 816 wrote to memory of 1452	816	ae398a6e0f8b33429da932c1c21805b0N.exe	31
PID 1452 wrote to memory of 2960	1452	Pofkha32.exe	32
PID 1452 wrote to memory of 2960	1452	Pofkha32.exe	32
PID 1452 wrote to memory of 2960	1452	Pofkha32.exe	32
PID 1452 wrote to memory of 2960	1452	Pofkha32.exe	32
PID 2960 wrote to memory of 2744	2960	Padhdm32.exe	33
PID 2960 wrote to memory of 2744	2960	Padhdm32.exe	33
PID 2960 wrote to memory of 2744	2960	Padhdm32.exe	33
PID 2960 wrote to memory of 2744	2960	Padhdm32.exe	33
PID 2744 wrote to memory of 2976	2744	Pkoicb32.exe	34
PID 2744 wrote to memory of 2976	2744	Pkoicb32.exe	34
PID 2744 wrote to memory of 2976	2744	Pkoicb32.exe	34
PID 2744 wrote to memory of 2976	2744	Pkoicb32.exe	34
PID 2976 wrote to memory of 2912	2976	Pidfdofi.exe	35
PID 2976 wrote to memory of 2912	2976	Pidfdofi.exe	35
PID 2976 wrote to memory of 2912	2976	Pidfdofi.exe	35
PID 2976 wrote to memory of 2912	2976	Pidfdofi.exe	35
PID 2912 wrote to memory of 1052	2912	Qppkfhlc.exe	36
PID 2912 wrote to memory of 1052	2912	Qppkfhlc.exe	36
PID 2912 wrote to memory of 1052	2912	Qppkfhlc.exe	36
PID 2912 wrote to memory of 1052	2912	Qppkfhlc.exe	36
PID 1052 wrote to memory of 2672	1052	Qlgkki32.exe	37
PID 1052 wrote to memory of 2672	1052	Qlgkki32.exe	37
PID 1052 wrote to memory of 2672	1052	Qlgkki32.exe	37
PID 1052 wrote to memory of 2672	1052	Qlgkki32.exe	37
PID 2672 wrote to memory of 372	2672	Accqnc32.exe	38
PID 2672 wrote to memory of 372	2672	Accqnc32.exe	38
PID 2672 wrote to memory of 372	2672	Accqnc32.exe	38
PID 2672 wrote to memory of 372	2672	Accqnc32.exe	38
PID 372 wrote to memory of 1820	372	Afdiondb.exe	39
PID 372 wrote to memory of 1820	372	Afdiondb.exe	39
PID 372 wrote to memory of 1820	372	Afdiondb.exe	39
PID 372 wrote to memory of 1820	372	Afdiondb.exe	39
PID 1820 wrote to memory of 2508	1820	Alnalh32.exe	40
PID 1820 wrote to memory of 2508	1820	Alnalh32.exe	40
PID 1820 wrote to memory of 2508	1820	Alnalh32.exe	40
PID 1820 wrote to memory of 2508	1820	Alnalh32.exe	40
PID 2508 wrote to memory of 2268	2508	Akfkbd32.exe	41
PID 2508 wrote to memory of 2268	2508	Akfkbd32.exe	41
PID 2508 wrote to memory of 2268	2508	Akfkbd32.exe	41
PID 2508 wrote to memory of 2268	2508	Akfkbd32.exe	41
PID 2268 wrote to memory of 3028	2268	Aqbdkk32.exe	42
PID 2268 wrote to memory of 3028	2268	Aqbdkk32.exe	42
PID 2268 wrote to memory of 3028	2268	Aqbdkk32.exe	42
PID 2268 wrote to memory of 3028	2268	Aqbdkk32.exe	42
PID 3028 wrote to memory of 768	3028	Bgllgedi.exe	43
PID 3028 wrote to memory of 768	3028	Bgllgedi.exe	43
PID 3028 wrote to memory of 768	3028	Bgllgedi.exe	43
PID 3028 wrote to memory of 768	3028	Bgllgedi.exe	43
PID 768 wrote to memory of 2152	768	Bceibfgj.exe	44
PID 768 wrote to memory of 2152	768	Bceibfgj.exe	44
PID 768 wrote to memory of 2152	768	Bceibfgj.exe	44
PID 768 wrote to memory of 2152	768	Bceibfgj.exe	44
PID 2152 wrote to memory of 2792	2152	Bjdkjpkb.exe	45
PID 2152 wrote to memory of 2792	2152	Bjdkjpkb.exe	45
PID 2152 wrote to memory of 2792	2152	Bjdkjpkb.exe	45
PID 2152 wrote to memory of 2792	2152	Bjdkjpkb.exe	45
PID 2792 wrote to memory of 1784	2792	Ckhdggom.exe	46
PID 2792 wrote to memory of 1784	2792	Ckhdggom.exe	46
PID 2792 wrote to memory of 1784	2792	Ckhdggom.exe	46
PID 2792 wrote to memory of 1784	2792	Ckhdggom.exe	46

C:\Users\Admin\AppData\Local\Temp\ae398a6e0f8b33429da932c1c21805b0N.exe
"C:\Users\Admin\AppData\Local\Temp\ae398a6e0f8b33429da932c1c21805b0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\Pofkha32.exe
  C:\Windows\system32\Pofkha32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\SysWOW64\Padhdm32.exe
    C:\Windows\system32\Padhdm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\Pkoicb32.exe
      C:\Windows\system32\Pkoicb32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\Pidfdofi.exe
        
        C:\Windows\system32\Pidfdofi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\SysWOW64\Qppkfhlc.exe
        
        C:\Windows\system32\Qppkfhlc.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\Qlgkki32.exe
        
        C:\Windows\system32\Qlgkki32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\Accqnc32.exe
        
        C:\Windows\system32\Accqnc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Afdiondb.exe
        
        C:\Windows\system32\Afdiondb.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Alnalh32.exe
        
        C:\Windows\system32\Alnalh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Akfkbd32.exe
        
        C:\Windows\system32\Akfkbd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Aqbdkk32.exe
        
        C:\Windows\system32\Aqbdkk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Bgllgedi.exe
        
        C:\Windows\system32\Bgllgedi.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\SysWOW64\Bceibfgj.exe
        
        C:\Windows\system32\Bceibfgj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\SysWOW64\Bjdkjpkb.exe
        
        C:\Windows\system32\Bjdkjpkb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Ckhdggom.exe
        
        C:\Windows\system32\Ckhdggom.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\SysWOW64\Cpfmmf32.exe
        
        C:\Windows\system32\Cpfmmf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1784
        
        C:\Windows\SysWOW64\Cnkjnb32.exe
        
        C:\Windows\system32\Cnkjnb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Cbffoabe.exe
        
        C:\Windows\system32\Cbffoabe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1780
        
        C:\Windows\SysWOW64\Calcpm32.exe
        
        C:\Windows\system32\Calcpm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Ccjoli32.exe
        
        C:\Windows\system32\Ccjoli32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2260
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2260 -s 144
        25⤵
        Loads dropped DLL
        Program crash
        
        PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Alnalh32.exe

Filesize
576KB

MD5
145acd0440a33090b1badb22d6c438ac

SHA1
ea634197e8af0ee1077b98f887e3dc2e3d9e6a6f

SHA256
eed9e6663526677665386664a8c721ce0b164fcce1390ef255e41a94bbcd779b

SHA512
9120b0dd9dc2346b6c44f4401f00e9f7bde7af5e6942b3995d8b3baa035a45deb460fe396829a3e827998c6996eedda4aa2f57f8d4ce1c8d76075332474874ce

Download Submit
C:\Windows\SysWOW64\Aqbdkk32.exe

Filesize
576KB

MD5
d1fd09b72bc3908384c9275355bd0b1c

SHA1
3828b1b4ca188f7bf1a36d8252fad73cb3783de5

SHA256
2281e1c27d29133e396b577d4efd62366f32a507d2b602cd6465df4253d6f790

SHA512
0ec0c3a14c40641c103f00799ab1ae5028596307c3458ac0d889887fa1f37b5500dc893b68b4408ac9ddf4dbab368fc806cb88289ec1bf815245706034723fa6

Download Submit
C:\Windows\SysWOW64\Bceibfgj.exe

Filesize
576KB

MD5
5f6a9f9a2a0bd6370fc1ee033c119da3

SHA1
f8191089060b83e57025ece9a649a019754ea3b4

SHA256
69ad3c2ae8f2efbff928802f1f3caae4f857d39d01605af8879e7582c9e1f3e5

SHA512
7db626a956c26358a64d796d34b1df565a284bae7262161290f7f96a712014e372a543e7113a9bac3fd9beaea5987d42cfd8b8e367420f8b4d09c9ee9d9d1bd1

Download Submit
C:\Windows\SysWOW64\Bgllgedi.exe

Filesize
576KB

MD5
679c71062c68cd1bc0d1ca75a056f0ca

SHA1
c4b3cdf9990124d784f7ecdbca313e95a4271f13

SHA256
113c58728e899b7ff06f9432be870302c0f586192dcb61992a8726aac8b64d7c

SHA512
e2781067c0d9e710ea2e19969eb41eb9ba3bd9940c0954668a24a7d37aa809b0aa13958e548e7fd29fb38b29ec36c1aa1f372752f5caee10c9675bf3476c5588

Download Submit
C:\Windows\SysWOW64\Calcpm32.exe

Filesize
576KB

MD5
20b20072c4bb4813f6f8c67f2db24d92

SHA1
71bbedb8be198bef389c475f0c2fded1d4ef61b0

SHA256
c509809dda120e1c28dc5391775801388f9d15ba6e4c92dc592b603282e4aea9

SHA512
48d043aae9a2c1f9f92b8cdc8944c10e6cf797bae4811051b28de4e79832f4bd32db292dc07b041a1baa791f5e47329e23900eb424dbfd48259f32ba5a6327b2

Download Submit
C:\Windows\SysWOW64\Cbffoabe.exe

Filesize
576KB

MD5
199fcf8a90000ceff60ebdb2b76590f9

SHA1
8a40177d141dd297334519ef34e09bf8f2cedc47

SHA256
adaf5afc304f5e091e6d46facbc4849d424347555af1efb1bff132894636d3bf

SHA512
6bcc0fa537664dfebc7775ab6eaf30ee0f61fee494232e1f083e1cf0551894cb1909ad73ae41232f03240a2eea707cde9a60d7589eda5868ab1afff27c573cff

Download Submit
C:\Windows\SysWOW64\Cchbgi32.exe

Filesize
576KB

MD5
b77ec15752b88c33d24e7fbc32266c86

SHA1
3e42bb46f3fead0938824537a0b9117d038d106d

SHA256
327ea5df061bd16765d5b45fe839867d84bea1a025d26f96c4d4f2469a9c9756

SHA512
fff2537ac34fb5f142a8f1fa0275157b653141e684d1079d7387a0c6b1db3646d1caa7b2eb143a7c2a6f645d33bd361ac9ea1bccf8b262e1ea80c050304f95ed

Download Submit
C:\Windows\SysWOW64\Ccjoli32.exe

Filesize
576KB

MD5
3a35810314074a7b27346aa055ca7ae1

SHA1
b947cd2ff64c79fdd36273f69bf70e9b72613277

SHA256
4fb4ffe51e78e05fd87caeafa8a47ae49d352c7a24dfa28dfcfb32674be70bc1

SHA512
ae059e7e83b02b39eed217cbde64760d85c38f532cd05b124ba9e92631158afda537089ce9c37ce7dab4c98de3b3e930a47a2feb26794defb4e3b1035eebce0a

Download Submit
C:\Windows\SysWOW64\Cnkjnb32.exe

Filesize
576KB

MD5
fb6f1b17cd2c89b071c2ca2aa80539db

SHA1
4b03548a74fa0c6dcc15a1173290905468eef824

SHA256
867e026791777f57d6ad3042cc83680ee41f0ea5ddae1e06a3c13c2fdacf58fc

SHA512
a45aa0ca024fac2ee0211b91936842a2ddd9d881c44c1774c7dbb89e403d7f476aba41ebd07292bc92418e519c5d0fd5f7a0734b853fd7d2eb3c3f554ed9e1e2

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
576KB

MD5
daa173516ce926cbb3bb8512686d63c9

SHA1
498a6cc07d9ab246a0f6b38d795c37889de9535c

SHA256
6f51c5d69bc19ea363ef5e5fe9e5a6e386dcf5b85d1bf78b8bed514a80208da9

SHA512
b4d5c6678fbf1a2b3ee14c2c63d6f960b1133434d6e7c8d7f60664eac63e71ff77a41e603aa8377e4cffb72f31e43ac9be1501dd679c56a8d982b72dc7ca98f4

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
576KB

MD5
daab53a9b3c685d82505d719505f073a

SHA1
1c6a0a0611a6535a5081602ed539d21634dd1d3b

SHA256
5d6806c69a609d69b6b30928c0d5e6dd6b09f5d8ad35d5ddc7d802008a515bd9

SHA512
10b2774f0b0aeea9a1c6a412af28d807355526b4abaaa5af3f173e76d719c913978cdf5cca3e87aa3400a0f9ac78eea86c8a8028371b5837372c30eba1055c20

Download Submit
C:\Windows\SysWOW64\Kbdjfk32.dll

Filesize
7KB

MD5
0950e9e2433b92649124b9c629e96bab

SHA1
7b1627e157f80ddd0474af9089ddb1c5fd81031c

SHA256
65e0fd0196dbf6f638a3c79cbe730827ef0c64bb3b3fa3dc5923d0464da1f57f

SHA512
3037868f71e3573b0e76bd43b2ba3032e09372a6b2d190a8b479698c33bdbc20223b929bfed332496713b2d87d4824b5939b044d83eda5e88a2e6f97ddd4a2df

Download Submit
C:\Windows\SysWOW64\Pkoicb32.exe

Filesize
576KB

MD5
165c2849db4214db556152ac12c47140

SHA1
7114529f4c33854eddec1cd21e75febacb8b2940

SHA256
e854a8de275f110174c29e73f6155bdc973e262384ef1f289689a9b9beb09894

SHA512
126740bd884cc78474fc0a10283a3fd8a9fc69bef11901b43e52e82fccacd3c8bcceb7d1dd19cca32ac900d2a4c4b9eedb3361c8b6b4c99acf908cbc4147dc16

Download Submit
\Windows\SysWOW64\Accqnc32.exe

Filesize
576KB

MD5
12076e6a34473a90e08837d1b955fb54

SHA1
e8a94cb7347a39d307353ff507fbd5828c3f639b

SHA256
0754f1d0de89cc0a4a98682603ed3aaeac302ada8e011db4a8ef9f29563b8ac6

SHA512
8a813131d613da8ebc245ebc3660f15591a93b1101ac0d5ca3c9a5fe1f0b2038074870a57c5c6241798bd00d1479458eac47cf25afdf772c29df28616f82e1cc

Download Submit
\Windows\SysWOW64\Afdiondb.exe

Filesize
576KB

MD5
594257275a05f01def030dae49b41f99

SHA1
e61220610b7ef7753a4e021cb7d06934aea0c5e8

SHA256
b2216a70be2b59cc7289d1a7def007bc25aa3dbfc7f199c337a6a1af38be68da

SHA512
3688c536e1c9ad6c3ab7ee8711a2b757605b70564f30eba2036fc3e5d9050194f70c4c55d576e2387a1546273afa1224f0e129d353c8ff4c193b90c61a3dffcb

Download Submit
\Windows\SysWOW64\Akfkbd32.exe

Filesize
576KB

MD5
d59648d74b3f86ed6f60df24f44a0719

SHA1
b199f8ac2cef06c8ae0c20c21172c358dad85dfc

SHA256
946d3fdb382c8b26f00271b1ea90c4dde470fc172d5ff819d2669a023a8a5c74

SHA512
0ca2b5c45af084eff620f5c30fe1d45506997476597494b4611b6cfd0f3a7a5ca80566d5fef7f92ce07824bca3f15641374dc75d1f3e1cb21f9a1f6357869799

Download Submit
\Windows\SysWOW64\Bjdkjpkb.exe

Filesize
576KB

MD5
4d1d9299b005f727df69e7d5a761c1e8

SHA1
a8e430f1934f93afef5e0b48b9a2bceece3dd92f

SHA256
6635536957419c67c11a577e85a2fe02a9605441470a5a488263681ce4efe9d3

SHA512
5d33fcf9a2068aa86135acdb92627cb0e177c5d27333adf2abb9c69a8c1583c01a8e3b6452e8945c8e42a5c4ca43c8ab5e5a8e57a3adf2823ef251ba5b29f00e

Download Submit
\Windows\SysWOW64\Ckhdggom.exe

Filesize
576KB

MD5
95175f45c78183082bf9929a3ec7c87f

SHA1
0ab4fa95c7646acc179ce307855b07e90da2771a

SHA256
974b7890b1e6c90759618fa115f393e47ed65d0fa2224443bcc217ddcaddb04d

SHA512
54071a502ed52574614c1670baaa1a24a9bc9247d97942ee3f29119a80f5df30aec403c606f2c7dfa7da59ecd8c56d087643e04e6602092849b0c3184e0d2d0b

Download Submit
\Windows\SysWOW64\Cpfmmf32.exe

Filesize
576KB

MD5
0cb1310c81cac6d5f71590de95a75293

SHA1
6d762ac24ac678c88199f4ed38eff7d042e3342c

SHA256
dd024ea812bcc98daab3fa9aed9a8c6a62a52820bc1dc510cc5dbf7a83950ac6

SHA512
477af7cf00b90f8aa2ab4e2a44c8f60429fa00223e467f6eb68125f069e95349b9d8c9894bc139bccdd6330f245251ec0d3128ac7725ec874a3eedc6336bd7d9

Download Submit
\Windows\SysWOW64\Padhdm32.exe

Filesize
576KB

MD5
e1ad0235d57416de14d076cb974d8a69

SHA1
042bce1c69a6babda198793128cd4fd19f45f8c6

SHA256
020ba0dcadddec40e5bd884ee333d2e8a3ce47e7a3db9aae26dbc2e968e44523

SHA512
e961e766902230e442a451d91192d1160e9d5dfb6ba16de514a4585927375db2298d618fff8c62cb905053c8814a9047f23005aa6c1eae0501da6cefbced3e79

Download Submit
\Windows\SysWOW64\Pidfdofi.exe

Filesize
576KB

MD5
f8b0f9338f82857b1ea73315642e40b2

SHA1
c058a3594d6f8fa033f62af39fbccf7efeb36436

SHA256
908e813773ec46c0a996464fdeac5dc7dde0d1c6409114d9fd782e38a790ff94

SHA512
0245be2c7c7cc0d66f248bf4e18fa8f0da1b22ac700484f55bee79c22ccf549234e7cc70f3db089a48ab1ebe8c14a4ccb740d6cabb53cb9d8f16e69c948377b4

Download Submit
\Windows\SysWOW64\Pofkha32.exe

Filesize
576KB

MD5
078338c0a6adcc847ea14b9c9ef86024

SHA1
94e8cf61dfc828f75e35cf7b4160f9fb57c35341

SHA256
de980848ad5529436fabebfdcf583d316aaeee488be3b48fd36c354ef5683828

SHA512
07c2569c0502bf2e30694798af05c84c6f15ca7dc9cf19c37c621b9758fc80f312cc20bc0272c12cef2598ec9a9932760f83c27af365ff087ecf9c074e822ebb

Download Submit
\Windows\SysWOW64\Qlgkki32.exe

Filesize
576KB

MD5
ee39a1f075aadc56e6b71b1aef532fc1

SHA1
2ebca168a1d8448464a2c0394dc7e7320a85e4f5

SHA256
36495d4ed9e544f7e2ef30ae046d9a59f2227cd285ffca500b15a03933cae769

SHA512
d182b829dfeb01ff4f00fa2b804cf494314d40b3367cfbb3419bbdc834a104844ba87d1d120d6929817b57612a1025dcc8b6818097b5b64b50902a9c50650fa8

Download Submit
\Windows\SysWOW64\Qppkfhlc.exe

Filesize
576KB

MD5
240b03abc50f8a6eb27beb2e04477d70

SHA1
186352982f1f7241bb226f91f2fbe7b7278306e4

SHA256
fd68c089e6db924fd02a263819f8a887f848fc3a66fc5444ea96e1864a9a26e5

SHA512
c57e134ebee11631f4f8cef8138ab3327beae280bf1f97c0c144822e1271bc4122f8ad0d497df2550dce2bf5bd6779115299dffe64dafd6e4a6663933667238e

Download Submit
memory/372-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-188-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/768-189-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/768-300-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-11-0x0000000000490000-0x00000000004C4000-memory.dmp

Filesize
208KB

Download
memory/992-283-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/992-282-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/992-278-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1052-88-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1452-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-22-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1748-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-246-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1780-306-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-227-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/1800-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-134-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1820-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-296-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1820-128-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2152-301-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2152-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2260-284-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-155-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2268-161-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2320-264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2320-308-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-259-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2380-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2508-153-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2508-297-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-94-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2744-53-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2744-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2792-204-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2912-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-54-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2976-66-0x0000000000290000-0x00000000002C4000-memory.dmp

Filesize
208KB

Download
memory/2976-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads