35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Size

51KB
MD5

806736eff4cc336f5e8de1a9414ca9e2
SHA1

5be10073df51f1d40fe91616cf3416278b82b116
SHA256

35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef
SHA512

aa3826d4e1da27bf97f2e333cc1ee4f53e39a6eaec3d6036a467260ef9f40107941880f9a39fbb5738ef6dbbfa45cb7945bf3436db6d1a4a23b31ff70ea1f9bb
SSDEEP

768:VSVIHXYqcDG8RTQKBZoFC6njQYgSR6ueNXgNzUI22iPKjy5CVAmIO8UxbuHZB9z0:V/EG8tQk2FC66NXgNziPc8UsHZB9zBE

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baepolni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biiobo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cienon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmggingc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjmekgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cienon32.exe

Executes dropped EXE 26 IoCs

pid	Process
1724	Biiobo32.exe
4756	Bdocph32.exe
5100	Bjhkmbho.exe
3080	Bmggingc.exe
1904	Bdapehop.exe
1620	Bkkhbb32.exe
4452	Baepolni.exe
1444	Bdcmkgmm.exe
1020	Bkmeha32.exe
3636	Bagmdllg.exe
2340	Bbhildae.exe
1576	Cajjjk32.exe
3144	Cdhffg32.exe
3280	Cienon32.exe
4352	Cdjblf32.exe
4256	Ckdkhq32.exe
4540	Cmbgdl32.exe
3960	Cdmoafdb.exe
1376	Ckggnp32.exe
4956	Caqpkjcl.exe
4496	Ckidcpjl.exe
1428	Cpfmlghd.exe
5016	Dgpeha32.exe
3704	Dmjmekgn.exe
2836	Dcffnbee.exe
3296	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bkmeha32.exe	Bdcmkgmm.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Hnmanm32.dll	Cdhffg32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Lpphjbnh.dll	Baepolni.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Dpagekkf.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Faagecfk.dll	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Eknphfld.dll	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
File created	C:\Windows\SysWOW64\Fekmfnbj.dll	Bdocph32.exe
File created	C:\Windows\SysWOW64\Pnlhmpgg.dll	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Dmjmekgn.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dcffnbee.exe
File created	C:\Windows\SysWOW64\Biiobo32.exe	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
File opened for modification	C:\Windows\SysWOW64\Bkmeha32.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Bkkhbb32.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Cienon32.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Cdmoafdb.exe	Cmbgdl32.exe
File opened for modification	C:\Windows\SysWOW64\Cdmoafdb.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cienon32.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dmjmekgn.exe
File created	C:\Windows\SysWOW64\Baepolni.exe	Bkkhbb32.exe
File created	C:\Windows\SysWOW64\Aldclhie.dll	Bdapehop.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Cajjjk32.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Mgqaip32.dll	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Bdocph32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Khokadah.dll	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Ckdkhq32.exe
File opened for modification	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckidcpjl.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Baepolni.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Bkmeha32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File opened for modification	C:\Windows\SysWOW64\Dgpeha32.exe	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Biiobo32.exe	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
File created	C:\Windows\SysWOW64\Ijgiemgc.dll	Bjhkmbho.exe
File opened for modification	C:\Windows\SysWOW64\Bkkhbb32.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmggingc.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Ckidcpjl.exe
File created	C:\Windows\SysWOW64\Dgpeha32.exe	Cpfmlghd.exe
File opened for modification	C:\Windows\SysWOW64\Dmjmekgn.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Dbcdbi32.dll	Biiobo32.exe
File opened for modification	C:\Windows\SysWOW64\Bdapehop.exe	Bmggingc.exe
File created	C:\Windows\SysWOW64\Boplohfa.dll	Bmggingc.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Cdjblf32.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Bmggingc.exe	Bjhkmbho.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bkmeha32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Cajjjk32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3052	3296	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmggingc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdapehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cienon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcmkgmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjhkmbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjmekgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkkhbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkmeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khokadah.dll"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqfhf32.dll"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qahlom32.dll"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkkhbb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljoca32.dll"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmafal32.dll"	Bkkhbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdocph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjmekgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknphfld.dll"	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkmeha32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Biiobo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bkmeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnmanm32.dll"	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijgiemgc.dll"	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caqpkjcl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmggingc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cienon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckidcpjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldclhie.dll"	Bdapehop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1724	4480	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe	91
PID 4480 wrote to memory of 1724	4480	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe	91
PID 4480 wrote to memory of 1724	4480	35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe	91
PID 1724 wrote to memory of 4756	1724	Biiobo32.exe	92
PID 1724 wrote to memory of 4756	1724	Biiobo32.exe	92
PID 1724 wrote to memory of 4756	1724	Biiobo32.exe	92
PID 4756 wrote to memory of 5100	4756	Bdocph32.exe	93
PID 4756 wrote to memory of 5100	4756	Bdocph32.exe	93
PID 4756 wrote to memory of 5100	4756	Bdocph32.exe	93
PID 5100 wrote to memory of 3080	5100	Bjhkmbho.exe	94
PID 5100 wrote to memory of 3080	5100	Bjhkmbho.exe	94
PID 5100 wrote to memory of 3080	5100	Bjhkmbho.exe	94
PID 3080 wrote to memory of 1904	3080	Bmggingc.exe	95
PID 3080 wrote to memory of 1904	3080	Bmggingc.exe	95
PID 3080 wrote to memory of 1904	3080	Bmggingc.exe	95
PID 1904 wrote to memory of 1620	1904	Bdapehop.exe	96
PID 1904 wrote to memory of 1620	1904	Bdapehop.exe	96
PID 1904 wrote to memory of 1620	1904	Bdapehop.exe	96
PID 1620 wrote to memory of 4452	1620	Bkkhbb32.exe	97
PID 1620 wrote to memory of 4452	1620	Bkkhbb32.exe	97
PID 1620 wrote to memory of 4452	1620	Bkkhbb32.exe	97
PID 4452 wrote to memory of 1444	4452	Baepolni.exe	98
PID 4452 wrote to memory of 1444	4452	Baepolni.exe	98
PID 4452 wrote to memory of 1444	4452	Baepolni.exe	98
PID 1444 wrote to memory of 1020	1444	Bdcmkgmm.exe	99
PID 1444 wrote to memory of 1020	1444	Bdcmkgmm.exe	99
PID 1444 wrote to memory of 1020	1444	Bdcmkgmm.exe	99
PID 1020 wrote to memory of 3636	1020	Bkmeha32.exe	100
PID 1020 wrote to memory of 3636	1020	Bkmeha32.exe	100
PID 1020 wrote to memory of 3636	1020	Bkmeha32.exe	100
PID 3636 wrote to memory of 2340	3636	Bagmdllg.exe	101
PID 3636 wrote to memory of 2340	3636	Bagmdllg.exe	101
PID 3636 wrote to memory of 2340	3636	Bagmdllg.exe	101
PID 2340 wrote to memory of 1576	2340	Bbhildae.exe	102
PID 2340 wrote to memory of 1576	2340	Bbhildae.exe	102
PID 2340 wrote to memory of 1576	2340	Bbhildae.exe	102
PID 1576 wrote to memory of 3144	1576	Cajjjk32.exe	103
PID 1576 wrote to memory of 3144	1576	Cajjjk32.exe	103
PID 1576 wrote to memory of 3144	1576	Cajjjk32.exe	103
PID 3144 wrote to memory of 3280	3144	Cdhffg32.exe	104
PID 3144 wrote to memory of 3280	3144	Cdhffg32.exe	104
PID 3144 wrote to memory of 3280	3144	Cdhffg32.exe	104
PID 3280 wrote to memory of 4352	3280	Cienon32.exe	105
PID 3280 wrote to memory of 4352	3280	Cienon32.exe	105
PID 3280 wrote to memory of 4352	3280	Cienon32.exe	105
PID 4352 wrote to memory of 4256	4352	Cdjblf32.exe	106
PID 4352 wrote to memory of 4256	4352	Cdjblf32.exe	106
PID 4352 wrote to memory of 4256	4352	Cdjblf32.exe	106
PID 4256 wrote to memory of 4540	4256	Ckdkhq32.exe	108
PID 4256 wrote to memory of 4540	4256	Ckdkhq32.exe	108
PID 4256 wrote to memory of 4540	4256	Ckdkhq32.exe	108
PID 4540 wrote to memory of 3960	4540	Cmbgdl32.exe	109
PID 4540 wrote to memory of 3960	4540	Cmbgdl32.exe	109
PID 4540 wrote to memory of 3960	4540	Cmbgdl32.exe	109
PID 3960 wrote to memory of 1376	3960	Cdmoafdb.exe	110
PID 3960 wrote to memory of 1376	3960	Cdmoafdb.exe	110
PID 3960 wrote to memory of 1376	3960	Cdmoafdb.exe	110
PID 1376 wrote to memory of 4956	1376	Ckggnp32.exe	111
PID 1376 wrote to memory of 4956	1376	Ckggnp32.exe	111
PID 1376 wrote to memory of 4956	1376	Ckggnp32.exe	111
PID 4956 wrote to memory of 4496	4956	Caqpkjcl.exe	113
PID 4956 wrote to memory of 4496	4956	Caqpkjcl.exe	113
PID 4956 wrote to memory of 4496	4956	Caqpkjcl.exe	113
PID 4496 wrote to memory of 1428	4496	Ckidcpjl.exe	114

C:\Users\Admin\AppData\Local\Temp\35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe
"C:\Users\Admin\AppData\Local\Temp\35e1478937acb431fbc9132909c4a55ad2dd42ae64b0650979b6713cc292a6ef.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\Biiobo32.exe
  C:\Windows\system32\Biiobo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\Bdocph32.exe
    C:\Windows\system32\Bdocph32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\SysWOW64\Bjhkmbho.exe
      C:\Windows\system32\Bjhkmbho.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\SysWOW64\Bmggingc.exe
        
        C:\Windows\system32\Bmggingc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Bkkhbb32.exe
        
        C:\Windows\system32\Bkkhbb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\SysWOW64\Bkmeha32.exe
        
        C:\Windows\system32\Bkmeha32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Cienon32.exe
        
        C:\Windows\system32\Cienon32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Dmjmekgn.exe
        
        C:\Windows\system32\Dmjmekgn.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3296
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3296 -s 404
        28⤵
        Program crash
        
        PID:3052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3296 -ip 3296
1⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4144,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3664 /prefetch:8
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baepolni.exe

Filesize
51KB

MD5
59b6c581b57bbfb7f87c9ffaaf73e90e

SHA1
f357b5cea0a055dcae5e338cdd7ea5d11e119dfe

SHA256
5f444154572fc9906ababb65d829dc08fabb6340b20bfea36ac17161de64674c

SHA512
75ba8c429aeabe7e3ccb29a143068c03fd5ed1f219910943774bb29b3cabe69bce0abab57131f0fdc621358d7b739c54e40c5c49a75d389cd2f7c6af6ff874a4

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
51KB

MD5
9fa9fdd68bb76cde14c6ebb50c5f7b51

SHA1
c14b147b4081c10dfe168b0f32c762f81ba92914

SHA256
4dfdf21d1fa40fc333772ff9bd3e22c9a7a551f9fef8a7b2b4b8801b3a418b82

SHA512
3159889a6e051075de7c3744c95d5d759c2d101586eb871d0589f6b84c83e34237af31e61d03d02d5390cd6ba60f3b187694e771a6d10d8fc3dafc2505478d0e

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
51KB

MD5
7444cabe876e3e2466964077620e2187

SHA1
0b17bb8d7ddb69930ec762923984fb1b277745e3

SHA256
ff49924b662625eefde7daad2e134f7115ae0973295ccdd34f67cf12f6573ffe

SHA512
62f450d06daa1c0e81e3c34a51f5d74c8564a38f427646a7c29efaf9218b03c8cdda57824a145c97454e759986573b02bd7f3d9a3b08d67a285447da4dd8f3ea

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
51KB

MD5
fa2f0704009c51b07a9c39cae7ad965f

SHA1
57081424585a5658d9c4927f879a1d71181cfd5c

SHA256
abc4275098b63851c7708c32fd34c66c2a3c6ca28e3e763204442699176961fc

SHA512
f04f641b02631a4182c668c1e7e1788f5bc0cbd6c20944edbb48f0de67af2cfe869e17ca7d6d6702bc93899a68a55c1cc9a8865343583f49c8d4356feac8592b

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
51KB

MD5
abc31e7088fff13e7739008a381363bc

SHA1
5b9082d1dcf86d108fbba7e4ee57dd564bfd0f9c

SHA256
231624f249f429f003750175b8bc91a27f4abeb0481391141bd14f3b4989ee56

SHA512
108b951012e65e1c82239ef0fcfcd5389aa636c63f791b51d97e0983f9609d5ea81ffdddbfa26a208f839fe79fd0e9cf294a2cf50087c3af3a8f27b872e6dabe

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
51KB

MD5
3f46c06de99c468d502aad2b7e7fcde5

SHA1
54a8ad184ee721f36a47248e45f76a17b122a38e

SHA256
dafbead0df6f456f71bb335b4a206828f28cdf1c8c86a71704c8384a173803a5

SHA512
d7cb1eb011be5a2d220cf864742fca8cfffebce1208a0da9e9dcb4a9c69d2b634501b64a114de55131c724488951a977019a766ac6d079bcb5a303e5af0f0af7

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
51KB

MD5
dc5468282194bee318ed1d969204b5c9

SHA1
ad16d8f035d2810281fd189acb014723e7506124

SHA256
2bf623d6243ca80c3400da3055f237d154a8f971dbc467a3880c17b430a00fb8

SHA512
c07b7c34638af802cac2244024af194ea25d14cc9870337ff953628b03fa5499647101d5ce489691f769c80e300a77d0c9338ac4a7174843e6f41a997f9453d8

Download Submit
C:\Windows\SysWOW64\Bjhkmbho.exe

Filesize
51KB

MD5
6dcf1a4497b95f458e9d49c05b4739fb

SHA1
0046ba08c44172f4518be8f987ec1e997513d66d

SHA256
4270ba029e04698946a64e13c655605e3aa1566615c14a50545b98d384ee4667

SHA512
32b1a9e45a707c6f6b7c7f07e52395a90725cd668649dc4ee9f35da944fce31b51503dd7cd9c95cb8ac0010a3db6c3a72e5ae1cbf7d7161fc5104219545bb6fa

Download Submit
C:\Windows\SysWOW64\Bkkhbb32.exe

Filesize
51KB

MD5
e9e2ff0199b9a77ae5fe6031ece83485

SHA1
4bb39b66ed5b925a2bc967021d5556b0db43847b

SHA256
f570af2e96fdeb827a5df6e6577deeb4581ca4a14a56f46f61bd8a45470cf3b5

SHA512
0e5ff0e35d6ffb126e7f2974ee1e035a38eb493d786057b78fe0632936ac3e4a5a1b2e9d1ddad1704812415cbb1031e0de5623a84a6451f8926d2c3801b0da12

Download Submit
C:\Windows\SysWOW64\Bkmeha32.exe

Filesize
51KB

MD5
b27c75fb235771d4fb401d9f6b7ad2cf

SHA1
d6fb48834e492b3965ceb0b64d42523c981cd01f

SHA256
a3cdac5157e1b944d57e9f7e3ac0a1cfa4924c62ff549d3f359a8649f46192f7

SHA512
b994fcbe32623c78fc1e25dcb9fcf967c3c7b4c589148bce4943e3854c7db9c028bb79055d94be47711644f6af8c34681485b452dbae5f2f7e2af8ed6dee5475

Download Submit
C:\Windows\SysWOW64\Bmggingc.exe

Filesize
51KB

MD5
0b3753056e64eb1d406a23b1283101dd

SHA1
cdb6080197caab0bb72ac24a875ea8588849f534

SHA256
90090b9c28269fce2b54a69615708c29c2c27dfb9831da69167ce4fb629adc6e

SHA512
9c88b4398ae4684c3df648898852833823587288e0300840fd6225faa22f9136850ff9e9b40f094da862abac62aeaa687be2aae5beb3cf2c4d093176891a4938

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
51KB

MD5
b5c6c48989a3d5fb4bb37a7ffd3478b3

SHA1
d5fc478ccb3f415dab033cbbbf8497f37ffe2968

SHA256
4d21ad48f3454d2fa136bb99f42c72e1cdf37ab9818b0c475661fd18bbf54caf

SHA512
d65333a529363fb1394a84affc2cfcb169d5a15f6fb67c290364c7d2bfb44c0d292f200cdf8b5f7dc0c011e512c705b10c5b22cf33120756a3b70beac056216c

Download Submit
C:\Windows\SysWOW64\Caqpkjcl.exe

Filesize
51KB

MD5
72c35f300e178914ad9de3c8755ce9be

SHA1
4b55a29feaa097b03e4cc10cc11ddec5c88e7e39

SHA256
0f834317313c7397fd9500539815b3a908a8b55613429580891f36b4564b853e

SHA512
e283817e0ea4ee2f86dd2fb829f7079b365e91c0e6f6aec0693993291b74ed60dc5efca3d512d7516367a1170afe066fd393d20692401fd5b725c6402e06c0dd

Download Submit
C:\Windows\SysWOW64\Cdhffg32.exe

Filesize
51KB

MD5
7c5667b67324f55110d6f6cb41d46c79

SHA1
872cfc87b8092467a573eeeb21713871dbe584e9

SHA256
c27fdc187df412f886f317789395671f35dd914208008acebc17dae3706e6eaf

SHA512
4f9dd0d71adeaa9e7d56bda3aa082682c4725d702b92fc35572c6230b6b22ee3a86d2ae01926bde1b2428b0ed1c7715430279e2dc2ce988baf8090fed89798fc

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
51KB

MD5
834b3d0c59d47cc6807329e83e68a6a5

SHA1
30f3efb2a78d5837df9f5c5b0dc259cabbb65186

SHA256
8cb62c672a09004155d52e054c314d3b800599f21d71766a7d74e158bd404b4d

SHA512
65e3cbf94e5f049e213b866330dafe23b79bd777b92080b5473cd9edbae81d73d918aa1b41da79f6cb6c1bebda50787699b5b0d16fc34329ddb296d31ccaf207

Download Submit
C:\Windows\SysWOW64\Cdmoafdb.exe

Filesize
51KB

MD5
dfa63f29354ed0014bb6ec2bb59f24fe

SHA1
3b8924f31379b0b077ad9679cf148c785b3fd554

SHA256
bc52517801f78b19ff43f5b595d7c308422ea26fd43eb6ccd833a8b3220b0594

SHA512
f1714036cd7c1eaf9f383e88657158cc01915178bc2e396373adfedc7f0cd735677021f8cbba38c7e6e1da0d17431c074f202efbbb90190d81b9842272de30c7

Download Submit
C:\Windows\SysWOW64\Cienon32.exe

Filesize
51KB

MD5
a82e4d0817c225998799e23e24993e70

SHA1
eca39f8aeb9a0b3f026aaef968e4644eaaa94ddd

SHA256
27b76db73ce1fc5c00e890112a84ad506e51447cc62beb97e0240ebb4aa4a13f

SHA512
1dbf11d3cbd5ba318b5d976d0528bac5b46da8102aad6ff0e12844dd5aca3756a7f88c88a22feef9f10360adaddb4b6a32073200c03724abf4869121550ca523

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
51KB

MD5
701f8c39ca9d12bcfaa6b6a405d29c1d

SHA1
51721492ebe6e9da2a432b786d6397a546dcb25c

SHA256
b5904c36cc1b71aa114fc6957b9261f49850b4793367407b8fd5315cd06fc06e

SHA512
be7a03c5b1923e04088bfc38034a85c55cc1367043d2b9b9f8ec0460f9de8ee8160f71a17f056b21406b3f1cad36e4b79105706b32426b7879ab45939c1ce43f

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
51KB

MD5
f9665ef88fc47268b44174cdfa933384

SHA1
18c7444a09b3632ac6a1bbca61be6dfc0148a6e2

SHA256
254a2907bd0568a30509016e9e4cdcb6fa4c410330b422382ec51145a1b754b4

SHA512
0883a3c6189aa5a7655e766353e7586648e05116d0b44c423b3a25467ecba785eb3e133184d7795002f8fcfe1d824fea717fc8bc6b20f1f46586013d7d2fad1f

Download Submit
C:\Windows\SysWOW64\Ckidcpjl.exe

Filesize
51KB

MD5
f29d7a073fa1b33a4c8517891be5f355

SHA1
7be8cd5ee96dafc3d7d0815e69c7345ca5515de5

SHA256
485f76091d6c8ddf7030efec1a0af58a15c0145c1aa87074c189ca2da6318690

SHA512
68980859194ef78bed0f1d30041c7c5baaa8e76ed5967e3716cf7a40f372e1b69ec514f36036e27416bf396ac4411d8534dd505cf65b9955ca620bf0241d3c69

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
51KB

MD5
2ad8f35ac508f781c1698d5e8f8f2f8e

SHA1
997087d3d11c37f6d325da19760459df40de898b

SHA256
ba8ad4789787bc6c7af667bc7bc75683763dbfba6cf7378104b266b5d36a7b36

SHA512
0e7eeef19778f371bd9abf09bc2c9b661b95455dbdf8a74e3b32e8fcbd200c378e0d8e293dd6e51ba35e104b6d2c6a879491b1b8da8af99bf1f70b171bf72ee1

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
51KB

MD5
76ee03f39bc2b83be0c6520c841afea1

SHA1
087efb9c93b93e666e9bad2ba37da9a84e4846d9

SHA256
77e9ebaeb027294c04daafe3646b57fcceca99797103a23846a3d94d082f7430

SHA512
d72eefa8ad6a9583c0357637265e3d94a333fcccc3ce93153e07ce3520a917532e5f220b87f438244bcabe26571dfdc1a981e92d59ca5d4cafc6737c51f5557e

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
51KB

MD5
dd7127975a056f9501131a25e5bc190b

SHA1
8905fb57caa29642896b7cc3475657373cd392d5

SHA256
b289dcd46fd06b0ae4d4f6f785aaff1ad2877c00e03ad57d53d20ee52642f244

SHA512
614a5cb69c687093b348997067ed314be899d5e4ec34dc7e8e83465a1f542965619d128747267de6d320cee2e169afea148b447ace7885ca7abc3186d3a20b9e

Download Submit
C:\Windows\SysWOW64\Dgpeha32.exe

Filesize
51KB

MD5
2437ed81c04d7a3f694e90381691fa3c

SHA1
8f2fd352f2461f2d39af1a1388ba2a63131a807d

SHA256
e44551351c3680cb687b5ddaf71f81d3ad0f9f9e4ed4be9d6c1b0d44ea141d9c

SHA512
4a965b32327fdcd3c18ed452cf4daa9be1fefdd37c20fc150701f6d4c502cdd421769e3ddb272424fe3d9526f9e147ade0a3c6e4dc43483d0480365360f3aa53

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
51KB

MD5
520b8b72ace71af7b6572336511f3488

SHA1
9dae96bc7269bb7b89a50922ccc2f36edcf7394c

SHA256
57aafdd6b36a7dd71536624c5a166dd591ecb2e8d6cae08ab354d1560066f434

SHA512
3343d501436b30412ae8cc978faca22ca085cc739985b35336dcfac0561bacb518fe0864dc949fca96a1dde02d0f2a0f2a4088956702c440252f0a15a6f38fa7

Download Submit
C:\Windows\SysWOW64\Dmjmekgn.exe

Filesize
51KB

MD5
4cca3039c57e590a7ccd8c3fe409d737

SHA1
99ded08347e528a60ad394b32297cd9708488169

SHA256
70749efada91cd61495fa4fcf8629ab5a27af005cb9ee574d3998ce1b5400362

SHA512
efd8cf69b1bcdd83ccb00ddd3f8e47a13e75b96776110a5c27275180bdb24129a11bcee1a7e58d9e9df92ebeb56432ae1e54f843ce604b1360fae3bcd9919aec

Download Submit
memory/1020-71-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1020-243-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1376-151-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1376-223-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1428-175-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1428-217-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1444-64-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1444-245-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1576-95-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1576-237-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1620-47-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1620-249-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-259-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1724-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1904-39-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1904-251-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2340-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2340-239-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2836-212-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2836-199-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3080-253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3080-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3144-103-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3144-235-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3280-112-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3280-233-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3296-210-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3296-208-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3636-79-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3636-241-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3704-191-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3704-213-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-225-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3960-143-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4256-127-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4256-229-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-231-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4352-119-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4452-247-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4452-55-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4480-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4480-261-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4496-167-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4496-219-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4540-227-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4540-136-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4756-257-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4756-15-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4956-159-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4956-221-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5016-183-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5016-215-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5100-255-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5100-23-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads