44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52

Analysis

max time kernel
141s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09/08/2024, 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Size

285KB
MD5

c727f89c05b500c79f9636d933d32e1b
SHA1

df8d5b25c8cbec59c725ff2bf4a57f6002b4231c
SHA256

44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52
SHA512

9aca35092ed94bfc342320dfe89cecf84bf34bf83cc0747657204e99a6fca7e8d20858351e5393849fde95fa1615e59b5b5ac322a81564abae53da4038bc6961
SSDEEP

6144:8dqAEk3xaOSTYaT15f7o+STYaT15f6ZLXonvPeZaF8vs:0kTYapJoTYapiMnOZ9

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceickb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjmmnnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baealp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjiljf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baealp32.exe

Executes dropped EXE 13 IoCs

pid	Process
2396	Bjiljf32.exe
2240	Bpfebmia.exe
3032	Baealp32.exe
3016	Bknfeege.exe
2760	Blobmm32.exe
2580	Biccfalm.exe
1952	Blaobmkq.exe
1804	Ceickb32.exe
1968	Cobhdhha.exe
2976	Chjmmnnb.exe
1032	Ckiiiine.exe
2820	Ceqjla32.exe
1060	Coindgbi.exe

Loads dropped DLL 26 IoCs

pid	Process
1672	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
1672	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
2396	Bjiljf32.exe
2396	Bjiljf32.exe
2240	Bpfebmia.exe
2240	Bpfebmia.exe
3032	Baealp32.exe
3032	Baealp32.exe
3016	Bknfeege.exe
3016	Bknfeege.exe
2760	Blobmm32.exe
2760	Blobmm32.exe
2580	Biccfalm.exe
2580	Biccfalm.exe
1952	Blaobmkq.exe
1952	Blaobmkq.exe
1804	Ceickb32.exe
1804	Ceickb32.exe
1968	Cobhdhha.exe
1968	Cobhdhha.exe
2976	Chjmmnnb.exe
2976	Chjmmnnb.exe
1032	Ckiiiine.exe
1032	Ckiiiine.exe
2820	Ceqjla32.exe
2820	Ceqjla32.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Baealp32.exe	Bpfebmia.exe
File created	C:\Windows\SysWOW64\Ljkaejba.dll	Bknfeege.exe
File created	C:\Windows\SysWOW64\Clmkgm32.dll	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Mjhdbb32.dll	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Blaobmkq.exe	Biccfalm.exe
File created	C:\Windows\SysWOW64\Bongfjgo.dll	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Bjiljf32.exe	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
File opened for modification	C:\Windows\SysWOW64\Bjiljf32.exe	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
File created	C:\Windows\SysWOW64\Bpfebmia.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Bknfeege.exe	Baealp32.exe
File opened for modification	C:\Windows\SysWOW64\Cobhdhha.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Chjmmnnb.exe	Cobhdhha.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Bknfeege.exe	Baealp32.exe
File created	C:\Windows\SysWOW64\Idcnlffk.dll	Baealp32.exe
File opened for modification	C:\Windows\SysWOW64\Chjmmnnb.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Ceickb32.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Blobmm32.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Biccfalm.exe	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Biccfalm.exe	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Blobmm32.exe	Bknfeege.exe
File created	C:\Windows\SysWOW64\Hlggmcob.dll	Blobmm32.exe
File opened for modification	C:\Windows\SysWOW64\Ceickb32.exe	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Hkfggj32.dll	Ceickb32.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Kipdmjne.dll	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
File opened for modification	C:\Windows\SysWOW64\Bpfebmia.exe	Bjiljf32.exe
File opened for modification	C:\Windows\SysWOW64\Baealp32.exe	Bpfebmia.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Ceickb32.exe	Blaobmkq.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Chjmmnnb.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Djenbd32.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Lpqafeln.dll	Bjiljf32.exe
File created	C:\Windows\SysWOW64\Blaobmkq.exe	Biccfalm.exe
File created	C:\Windows\SysWOW64\Kacclb32.dll	Biccfalm.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjiljf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpfebmia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blobmm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baealp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjmmnnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biccfalm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blaobmkq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bknfeege.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceickb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe

Modifies registry class 42 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmkgm32.dll"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlggmcob.dll"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biccfalm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biccfalm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blaobmkq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bpfebmia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bongfjgo.dll"	Blaobmkq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Baealp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll"	Bknfeege.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bknfeege.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll"	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Blobmm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjmmnnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpqafeln.dll"	Bjiljf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Blobmm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll"	Biccfalm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll"	Ceickb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhdbb32.dll"	Bpfebmia.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baealp32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2396	1672	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe	31
PID 1672 wrote to memory of 2396	1672	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe	31
PID 1672 wrote to memory of 2396	1672	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe	31
PID 1672 wrote to memory of 2396	1672	44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe	31
PID 2396 wrote to memory of 2240	2396	Bjiljf32.exe	32
PID 2396 wrote to memory of 2240	2396	Bjiljf32.exe	32
PID 2396 wrote to memory of 2240	2396	Bjiljf32.exe	32
PID 2396 wrote to memory of 2240	2396	Bjiljf32.exe	32
PID 2240 wrote to memory of 3032	2240	Bpfebmia.exe	33
PID 2240 wrote to memory of 3032	2240	Bpfebmia.exe	33
PID 2240 wrote to memory of 3032	2240	Bpfebmia.exe	33
PID 2240 wrote to memory of 3032	2240	Bpfebmia.exe	33
PID 3032 wrote to memory of 3016	3032	Baealp32.exe	34
PID 3032 wrote to memory of 3016	3032	Baealp32.exe	34
PID 3032 wrote to memory of 3016	3032	Baealp32.exe	34
PID 3032 wrote to memory of 3016	3032	Baealp32.exe	34
PID 3016 wrote to memory of 2760	3016	Bknfeege.exe	35
PID 3016 wrote to memory of 2760	3016	Bknfeege.exe	35
PID 3016 wrote to memory of 2760	3016	Bknfeege.exe	35
PID 3016 wrote to memory of 2760	3016	Bknfeege.exe	35
PID 2760 wrote to memory of 2580	2760	Blobmm32.exe	36
PID 2760 wrote to memory of 2580	2760	Blobmm32.exe	36
PID 2760 wrote to memory of 2580	2760	Blobmm32.exe	36
PID 2760 wrote to memory of 2580	2760	Blobmm32.exe	36
PID 2580 wrote to memory of 1952	2580	Biccfalm.exe	37
PID 2580 wrote to memory of 1952	2580	Biccfalm.exe	37
PID 2580 wrote to memory of 1952	2580	Biccfalm.exe	37
PID 2580 wrote to memory of 1952	2580	Biccfalm.exe	37
PID 1952 wrote to memory of 1804	1952	Blaobmkq.exe	38
PID 1952 wrote to memory of 1804	1952	Blaobmkq.exe	38
PID 1952 wrote to memory of 1804	1952	Blaobmkq.exe	38
PID 1952 wrote to memory of 1804	1952	Blaobmkq.exe	38
PID 1804 wrote to memory of 1968	1804	Ceickb32.exe	39
PID 1804 wrote to memory of 1968	1804	Ceickb32.exe	39
PID 1804 wrote to memory of 1968	1804	Ceickb32.exe	39
PID 1804 wrote to memory of 1968	1804	Ceickb32.exe	39
PID 1968 wrote to memory of 2976	1968	Cobhdhha.exe	40
PID 1968 wrote to memory of 2976	1968	Cobhdhha.exe	40
PID 1968 wrote to memory of 2976	1968	Cobhdhha.exe	40
PID 1968 wrote to memory of 2976	1968	Cobhdhha.exe	40
PID 2976 wrote to memory of 1032	2976	Chjmmnnb.exe	41
PID 2976 wrote to memory of 1032	2976	Chjmmnnb.exe	41
PID 2976 wrote to memory of 1032	2976	Chjmmnnb.exe	41
PID 2976 wrote to memory of 1032	2976	Chjmmnnb.exe	41
PID 1032 wrote to memory of 2820	1032	Ckiiiine.exe	42
PID 1032 wrote to memory of 2820	1032	Ckiiiine.exe	42
PID 1032 wrote to memory of 2820	1032	Ckiiiine.exe	42
PID 1032 wrote to memory of 2820	1032	Ckiiiine.exe	42
PID 2820 wrote to memory of 1060	2820	Ceqjla32.exe	43
PID 2820 wrote to memory of 1060	2820	Ceqjla32.exe	43
PID 2820 wrote to memory of 1060	2820	Ceqjla32.exe	43
PID 2820 wrote to memory of 1060	2820	Ceqjla32.exe	43

C:\Users\Admin\AppData\Local\Temp\44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe
"C:\Users\Admin\AppData\Local\Temp\44d605e7be8f51f1ab154067ec012e3a5a9444296f6e06ac52e833a198674f52.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\Bjiljf32.exe
  C:\Windows\system32\Bjiljf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\Bpfebmia.exe
    C:\Windows\system32\Bpfebmia.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\Windows\SysWOW64\Baealp32.exe
      C:\Windows\system32\Baealp32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\Bknfeege.exe
        
        C:\Windows\system32\Bknfeege.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3016
      - C:\Windows\SysWOW64\Blobmm32.exe
        
        C:\Windows\system32\Blobmm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Biccfalm.exe
        
        C:\Windows\system32\Biccfalm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\SysWOW64\Blaobmkq.exe
        
        C:\Windows\system32\Blaobmkq.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Ceickb32.exe
        
        C:\Windows\system32\Ceickb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\SysWOW64\Chjmmnnb.exe
        
        C:\Windows\system32\Chjmmnnb.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Blaobmkq.exe

Filesize
285KB

MD5
6e86eb7da8a2d328d6a073b119a8764b

SHA1
fbb865b65ac7486100e909ea375f441b2d9cc3bc

SHA256
208ef12e7c8b976ce0bc52f406de7518c6cd3c5555bac77f3d05138a2508643c

SHA512
49080bfb97e9c8894ba7c6b37c255c050a301c57e10a9106850a5c808c7dc863a9dfcf937c5d3cb341c3cfecfab771d9d9f5b19eacbaac8a223417a2f7f07d35

Download Submit
C:\Windows\SysWOW64\Blobmm32.exe

Filesize
285KB

MD5
0b8a7e972c46c4e3027b08ed8390edfc

SHA1
771d19aa70825ae42ec67ce675242c95a7d73e4c

SHA256
b68037e3b6d59e0227f84d15263c0b4c61644bf5c6edf70d495b78951e1150bb

SHA512
210e6f98dc4a4f84218a86f6e6046a87d03debc8efeef4a968f53b319896496f8c552f8d003c388fa16fb9b93074ecc70ff6bf1ddba8dc7e84fba172f4af5dcb

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
285KB

MD5
8d9723bb7709fe4ecfac393427de7db0

SHA1
d7b612d430597710888464cc5254ff7325b9e563

SHA256
3d43409a88ae757d60c193145cda376a94ac47a8d02fcc59c8e45e6364f0bfcb

SHA512
9eec3a7640962cd4e104c197271d7fc99715423bf61213c3b08b91c1962f46f25c9ad9d883c402d0cf72ececb68bf9860521b7e94566476c9f9d848832155337

Download Submit
\Windows\SysWOW64\Baealp32.exe

Filesize
285KB

MD5
caf49690ae864cdbd1992f17cd3fde79

SHA1
ba684ab6d24e9169b26bc56db9ac8c660af9971f

SHA256
00d103b34d2c503ef65f984374a616c76ff9f39b91c3a656ac43017f3ba6e805

SHA512
341ad4fa98803c6efeb452d509becb27882f5b2ff635436cc7c76a7374b7076e8666dc8027e72de72ea1387efe0ea969fbd07c107d646e7357e6586295addba8

Download Submit
\Windows\SysWOW64\Biccfalm.exe

Filesize
285KB

MD5
ab936cadd12a571730f9a2049d7cdca6

SHA1
23781981f647d56a5ae6f8a9e0cf5de5630d207a

SHA256
dbece214255e0158d38d59e9cb0596d6573468415efc445ac53a9b9ba6bef2b4

SHA512
0aebc6f7b965a5fd92591f6d8d16f7a71f844d0c3ee11126d156f9fe50d43bedc905ddbb3e213ca2f3622f54a96cfac973c44512ae3a0e3fa2c42b04177ef7d0

Download Submit
\Windows\SysWOW64\Bjiljf32.exe

Filesize
285KB

MD5
9d034112883cd9e3abac3d449d280f7b

SHA1
dd784da340ec28b5b85a82ef12f152eb4a8aa586

SHA256
2331cd86f453b9cc17d45ed00cdcec439de1cb4566f7ab3294868559c5264563

SHA512
fecbcd6ea2faceecf92d5498f23dd887a06584b8a066e303c8d3230ec9932eed98d553dee8939ca96a5d36d7ac1f7b59d780f4a36450959a91c41fc6c749f5ea

Download Submit
\Windows\SysWOW64\Bknfeege.exe

Filesize
285KB

MD5
b2596f615edf34ab617fb8f8c59e0b8c

SHA1
55254d94a7be715d38aefcc6e5d9940abe21a2e9

SHA256
065a765b19307d827aba061d58186db54b46b253dd4700f4d796cd53fbc7236a

SHA512
242d3b3c34848b514f7356f0471b560309e13f231645bbbeddef335fc723c5a81474fa80b1ef185770ed515a1963b800f1df1f23f12a21008cc1f035402367cd

Download Submit
\Windows\SysWOW64\Bpfebmia.exe

Filesize
285KB

MD5
ca799c73defa6697c58ac549ad0ce9a3

SHA1
64a988517f3a6906df1bc16f0e13ad18235142d9

SHA256
153443fe1ab2dcfb0f1cc536b0cf997f43fe571358d2da2577e48470a3adba2d

SHA512
3917a844d820a770204b359bd786360e80a921f18e641ea9e2ce0ff125c9010b78fb8de41205da06d4b162c901556d2a3e0aa6443d4c80cd82615fd36fd5de05

Download Submit
\Windows\SysWOW64\Ceickb32.exe

Filesize
285KB

MD5
6e6133483fefe5182c45d283c9e5f886

SHA1
f0587753b9b452bbf921f5ffabf638b3bdcb6d85

SHA256
16cf447c09d5cd4fa42473585b827398b64ba9b8f76c12cd60856c8cfde730ac

SHA512
d4bd8b6ad2dca9f690e4f946b436c36731ce0f47d5be2f78015c27a1571270630ac92cd2a770b24a5694ac9c910f1051503c9975d8b59bc7b91e72f5e0dc5b82

Download Submit
\Windows\SysWOW64\Ceqjla32.exe

Filesize
285KB

MD5
63fb7f8f4efd1d23a062a43805c64759

SHA1
f3ba706cd1eae1bc1c14c98bd24704a98a49ea7e

SHA256
5ae282d9f2b92d0dd05aad40231b4131021556f58a0151f35930c096a2393b99

SHA512
f0a22dbfda625bc589d405e36b8ecfc7540bfcb8193d3db58ab56bcc16ed3cd4cda228f5a381c255515494ecf6f4df670d23a61c375596197f9a2797e944e438

Download Submit
\Windows\SysWOW64\Chjmmnnb.exe

Filesize
285KB

MD5
b54c0c0f937d9d49aac131c7feb50a8f

SHA1
b01a787ddb48235181cb15992e3e42d50d09f1e2

SHA256
438ea0d0eaeb785439dfa3e6d7641764776f7cb1dfe00f90028c9b0f9b64d842

SHA512
9e84085a2f402f84f32e66f898d0ca3604bd93c1e331a2e3875f8691c79af08037e81d1116df2295274b8467788523a250448168310c5724e78de9867dbf80e9

Download Submit
\Windows\SysWOW64\Cobhdhha.exe

Filesize
285KB

MD5
54adb8f6508181cee3bcc2b1975eb7ea

SHA1
f50973aece65f873cf0448a6e9be971fcafa4885

SHA256
d5fdec325293dc96b9d4061247210f962c301aec22b77ed064f78b834f4e1440

SHA512
2e063f0461e9be5ae5174685492eaec8e0bbc9f9bccd23ca757d35f010d66949b575b73ffd85af0afcecec8eadc1745c4213c06c49ee0c16157e26a1eee090f9

Download Submit
\Windows\SysWOW64\Coindgbi.exe

Filesize
285KB

MD5
d6a1196bbfb13f74b895e719eca2ba73

SHA1
009cf95c1124b9172ffb70f6abbfbde0a6f4275e

SHA256
fbc66ea1a8b116be7ab5df950a9853ef3f6a9873cc0a2fc4cbab925919d83f01

SHA512
8ee7b0336c1cda20adf90ac2af69edf3875c6bc695eaa845f92710f40f567bafdf6d8d2eb4b8de46d62785055b09abf6224961536057ae0b05c1d3e3c50742d5

Download Submit
memory/1032-173-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/1032-210-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1032-164-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1060-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-12-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1672-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-4-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-110-0x0000000000270000-0x00000000002A3000-memory.dmp

Filesize
204KB

Download
memory/1804-193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-195-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/1804-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-127-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/1804-194-0x0000000001F40000-0x0000000001F73000-memory.dmp

Filesize
204KB

Download
memory/1952-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-142-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1968-204-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1968-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-141-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/1968-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1968-197-0x0000000000260000-0x0000000000293000-memory.dmp

Filesize
204KB

Download
memory/2240-40-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2240-41-0x00000000005D0000-0x0000000000603000-memory.dmp

Filesize
204KB

Download
memory/2240-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-26-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2396-22-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2396-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-84-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2580-172-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2760-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-83-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2760-70-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2760-161-0x0000000000280000-0x00000000002B3000-memory.dmp

Filesize
204KB

Download
memory/2820-227-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-191-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/2820-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2976-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-69-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3016-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3016-158-0x0000000000250000-0x0000000000283000-memory.dmp

Filesize
204KB

Download
memory/3016-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-42-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-149-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download
memory/3032-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3032-50-0x0000000000300000-0x0000000000333000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads