f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29-08-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Size

94KB
MD5

8045579b72ee3227d8312b2b05b0ef41
SHA1

ab1129b1b63631307940e61327fa577b2720679d
SHA256

f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226
SHA512

cebecbfe105193a5f2856e4ab1ade075a38afffe17472cb30e09644a7665710e76cf5070e87e5357c8b0b3e14f56b9c9e3ad28e9d2b7c4354ccd7c13ee016905
SSDEEP

1536:Y8TmL8J7lCY5Z0GV1g4VvkkUrMcVi6q+gn2LH1MQ262AjCsQ2PCZZrqOlNfVSLUY:Y8KI7EY5XgCvkkUrsd+zH1MQH2qC7ZQd

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdgic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bniajoic.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgoime32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchfhfeh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjakccop.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigkel32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdgic32.exe

Executes dropped EXE 21 IoCs

pid	Process
2320	Adnpkjde.exe
2480	Bkhhhd32.exe
2408	Bgoime32.exe
2788	Bniajoic.exe
2704	Bgaebe32.exe
2596	Bnknoogp.exe
2584	Bchfhfeh.exe
2536	Bqlfaj32.exe
1708	Bbmcibjp.exe
2304	Bigkel32.exe
1748	Cenljmgq.exe
2028	Cmedlk32.exe
2948	Ckjamgmk.exe
2956	Cinafkkd.exe
1888	Ckmnbg32.exe
1716	Cchbgi32.exe
2216	Cjakccop.exe
2208	Cnmfdb32.exe
1656	Djdgic32.exe
912	Dmbcen32.exe
1500	Dpapaj32.exe

Loads dropped DLL 45 IoCs

pid	Process
484	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
484	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
2320	Adnpkjde.exe
2320	Adnpkjde.exe
2480	Bkhhhd32.exe
2480	Bkhhhd32.exe
2408	Bgoime32.exe
2408	Bgoime32.exe
2788	Bniajoic.exe
2788	Bniajoic.exe
2704	Bgaebe32.exe
2704	Bgaebe32.exe
2596	Bnknoogp.exe
2596	Bnknoogp.exe
2584	Bchfhfeh.exe
2584	Bchfhfeh.exe
2536	Bqlfaj32.exe
2536	Bqlfaj32.exe
1708	Bbmcibjp.exe
1708	Bbmcibjp.exe
2304	Bigkel32.exe
2304	Bigkel32.exe
1748	Cenljmgq.exe
1748	Cenljmgq.exe
2028	Cmedlk32.exe
2028	Cmedlk32.exe
2948	Ckjamgmk.exe
2948	Ckjamgmk.exe
2956	Cinafkkd.exe
2956	Cinafkkd.exe
1888	Ckmnbg32.exe
1888	Ckmnbg32.exe
1716	Cchbgi32.exe
1716	Cchbgi32.exe
2216	Cjakccop.exe
2216	Cjakccop.exe
2208	Cnmfdb32.exe
2208	Cnmfdb32.exe
1656	Djdgic32.exe
1656	Djdgic32.exe
912	Dmbcen32.exe
912	Dmbcen32.exe
2352	WerFault.exe
2352	WerFault.exe
2352	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bgoime32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Oabhggjd.dll	Bniajoic.exe
File created	C:\Windows\SysWOW64\Fbnbckhg.dll	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Aglfmjon.dll	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
File created	C:\Windows\SysWOW64\Bgoime32.exe	Bkhhhd32.exe
File created	C:\Windows\SysWOW64\Cinafkkd.exe	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Acnenl32.dll	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Adnpkjde.exe	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
File created	C:\Windows\SysWOW64\Gmkame32.dll	Bnknoogp.exe
File opened for modification	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Cenljmgq.exe	Bigkel32.exe
File created	C:\Windows\SysWOW64\Eepejpil.dll	Ckjamgmk.exe
File created	C:\Windows\SysWOW64\Pdkefp32.dll	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Adnpkjde.exe	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
File created	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Cnmfdb32.exe	Cjakccop.exe
File created	C:\Windows\SysWOW64\Gbnbjo32.dll	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Bgaebe32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Ckndebll.dll	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bqlfaj32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Jhogdg32.dll	Cinafkkd.exe
File opened for modification	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Ckmnbg32.exe	Cinafkkd.exe
File created	C:\Windows\SysWOW64\Fikbiheg.dll	Djdgic32.exe
File opened for modification	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bqlfaj32.exe	Bchfhfeh.exe
File created	C:\Windows\SysWOW64\Aaddfb32.dll	Bigkel32.exe
File created	C:\Windows\SysWOW64\Pdkiofep.dll	Bgoime32.exe
File created	C:\Windows\SysWOW64\Qcamkjba.dll	Adnpkjde.exe
File created	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File opened for modification	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dpapaj32.exe	Dmbcen32.exe
File opened for modification	C:\Windows\SysWOW64\Bkhhhd32.exe	Adnpkjde.exe
File opened for modification	C:\Windows\SysWOW64\Cenljmgq.exe	Bigkel32.exe
File opened for modification	C:\Windows\SysWOW64\Ckjamgmk.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Djdgic32.exe	Cnmfdb32.exe
File created	C:\Windows\SysWOW64\Ccofjipn.dll	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bigkel32.exe	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Ckjamgmk.exe	Cmedlk32.exe
File opened for modification	C:\Windows\SysWOW64\Cinafkkd.exe	Ckjamgmk.exe
File opened for modification	C:\Windows\SysWOW64\Cchbgi32.exe	Ckmnbg32.exe
File created	C:\Windows\SysWOW64\Dmbcen32.exe	Djdgic32.exe
File created	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File opened for modification	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File created	C:\Windows\SysWOW64\Bchfhfeh.exe	Bnknoogp.exe
File created	C:\Windows\SysWOW64\Lmajfk32.dll	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Cjakccop.exe	Cchbgi32.exe
File opened for modification	C:\Windows\SysWOW64\ÿs.e¢e	Dpapaj32.exe
File created	C:\Windows\SysWOW64\Bniajoic.exe	Bgoime32.exe
File created	C:\Windows\SysWOW64\Oinhifdq.dll	Bbmcibjp.exe
File created	C:\Windows\SysWOW64\Cmedlk32.exe	Cenljmgq.exe
File created	C:\Windows\SysWOW64\Niebgj32.dll	Cjakccop.exe
File opened for modification	C:\Windows\SysWOW64\Djdgic32.exe	Cnmfdb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnknoogp.exe	Bgaebe32.exe
File opened for modification	C:\Windows\SysWOW64\Bgaebe32.exe	Bniajoic.exe
File created	C:\Windows\SysWOW64\Bbmcibjp.exe	Bqlfaj32.exe
File created	C:\Windows\SysWOW64\Gpajfg32.dll	Cchbgi32.exe
File created	C:\Windows\SysWOW64\Obahbj32.dll	Bkhhhd32.exe

Program crash 1 IoCs

pid	pid_target	Process
2352	1500	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenljmgq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cinafkkd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjakccop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmbcen32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adnpkjde.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bniajoic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bqlfaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigkel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckmnbg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cchbgi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgoime32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgaebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchfhfeh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbmcibjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmedlk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnmfdb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpapaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkhhhd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnknoogp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckjamgmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdgic32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckjamgmk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnenl32.dll"	Ckmnbg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkefp32.dll"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmbcen32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkiofep.dll"	Bgoime32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bniajoic.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cinafkkd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll"	Djdgic32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll"	Cinafkkd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjakccop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaddfb32.dll"	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adnpkjde.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgaebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfakaoam.dll"	Bqlfaj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnmfdb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmbcen32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adnpkjde.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll"	Bniajoic.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll"	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbmcibjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkhhhd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgoime32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnknoogp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenljmgq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdgic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll"	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll"	Bnknoogp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenljmgq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cchbgi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnbjo32.dll"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchfhfeh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnbckhg.dll"	Cmedlk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll"	Bkhhhd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bigkel32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll"	Cnmfdb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbmcibjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll"	Ckjamgmk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckmnbg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgaebe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cinafkkd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 484 wrote to memory of 2320	484	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe	31
PID 484 wrote to memory of 2320	484	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe	31
PID 484 wrote to memory of 2320	484	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe	31
PID 484 wrote to memory of 2320	484	f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe	31
PID 2320 wrote to memory of 2480	2320	Adnpkjde.exe	32
PID 2320 wrote to memory of 2480	2320	Adnpkjde.exe	32
PID 2320 wrote to memory of 2480	2320	Adnpkjde.exe	32
PID 2320 wrote to memory of 2480	2320	Adnpkjde.exe	32
PID 2480 wrote to memory of 2408	2480	Bkhhhd32.exe	33
PID 2480 wrote to memory of 2408	2480	Bkhhhd32.exe	33
PID 2480 wrote to memory of 2408	2480	Bkhhhd32.exe	33
PID 2480 wrote to memory of 2408	2480	Bkhhhd32.exe	33
PID 2408 wrote to memory of 2788	2408	Bgoime32.exe	34
PID 2408 wrote to memory of 2788	2408	Bgoime32.exe	34
PID 2408 wrote to memory of 2788	2408	Bgoime32.exe	34
PID 2408 wrote to memory of 2788	2408	Bgoime32.exe	34
PID 2788 wrote to memory of 2704	2788	Bniajoic.exe	35
PID 2788 wrote to memory of 2704	2788	Bniajoic.exe	35
PID 2788 wrote to memory of 2704	2788	Bniajoic.exe	35
PID 2788 wrote to memory of 2704	2788	Bniajoic.exe	35
PID 2704 wrote to memory of 2596	2704	Bgaebe32.exe	36
PID 2704 wrote to memory of 2596	2704	Bgaebe32.exe	36
PID 2704 wrote to memory of 2596	2704	Bgaebe32.exe	36
PID 2704 wrote to memory of 2596	2704	Bgaebe32.exe	36
PID 2596 wrote to memory of 2584	2596	Bnknoogp.exe	37
PID 2596 wrote to memory of 2584	2596	Bnknoogp.exe	37
PID 2596 wrote to memory of 2584	2596	Bnknoogp.exe	37
PID 2596 wrote to memory of 2584	2596	Bnknoogp.exe	37
PID 2584 wrote to memory of 2536	2584	Bchfhfeh.exe	38
PID 2584 wrote to memory of 2536	2584	Bchfhfeh.exe	38
PID 2584 wrote to memory of 2536	2584	Bchfhfeh.exe	38
PID 2584 wrote to memory of 2536	2584	Bchfhfeh.exe	38
PID 2536 wrote to memory of 1708	2536	Bqlfaj32.exe	39
PID 2536 wrote to memory of 1708	2536	Bqlfaj32.exe	39
PID 2536 wrote to memory of 1708	2536	Bqlfaj32.exe	39
PID 2536 wrote to memory of 1708	2536	Bqlfaj32.exe	39
PID 1708 wrote to memory of 2304	1708	Bbmcibjp.exe	40
PID 1708 wrote to memory of 2304	1708	Bbmcibjp.exe	40
PID 1708 wrote to memory of 2304	1708	Bbmcibjp.exe	40
PID 1708 wrote to memory of 2304	1708	Bbmcibjp.exe	40
PID 2304 wrote to memory of 1748	2304	Bigkel32.exe	41
PID 2304 wrote to memory of 1748	2304	Bigkel32.exe	41
PID 2304 wrote to memory of 1748	2304	Bigkel32.exe	41
PID 2304 wrote to memory of 1748	2304	Bigkel32.exe	41
PID 1748 wrote to memory of 2028	1748	Cenljmgq.exe	42
PID 1748 wrote to memory of 2028	1748	Cenljmgq.exe	42
PID 1748 wrote to memory of 2028	1748	Cenljmgq.exe	42
PID 1748 wrote to memory of 2028	1748	Cenljmgq.exe	42
PID 2028 wrote to memory of 2948	2028	Cmedlk32.exe	43
PID 2028 wrote to memory of 2948	2028	Cmedlk32.exe	43
PID 2028 wrote to memory of 2948	2028	Cmedlk32.exe	43
PID 2028 wrote to memory of 2948	2028	Cmedlk32.exe	43
PID 2948 wrote to memory of 2956	2948	Ckjamgmk.exe	44
PID 2948 wrote to memory of 2956	2948	Ckjamgmk.exe	44
PID 2948 wrote to memory of 2956	2948	Ckjamgmk.exe	44
PID 2948 wrote to memory of 2956	2948	Ckjamgmk.exe	44
PID 2956 wrote to memory of 1888	2956	Cinafkkd.exe	45
PID 2956 wrote to memory of 1888	2956	Cinafkkd.exe	45
PID 2956 wrote to memory of 1888	2956	Cinafkkd.exe	45
PID 2956 wrote to memory of 1888	2956	Cinafkkd.exe	45
PID 1888 wrote to memory of 1716	1888	Ckmnbg32.exe	46
PID 1888 wrote to memory of 1716	1888	Ckmnbg32.exe	46
PID 1888 wrote to memory of 1716	1888	Ckmnbg32.exe	46
PID 1888 wrote to memory of 1716	1888	Ckmnbg32.exe	46

C:\Users\Admin\AppData\Local\Temp\f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe
"C:\Users\Admin\AppData\Local\Temp\f5483bfa7552bcfc0f0b9b841200ec214d386bc0011547a878da77f3e4df8226.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:484
- C:\Windows\SysWOW64\Adnpkjde.exe
  C:\Windows\system32\Adnpkjde.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\SysWOW64\Bkhhhd32.exe
    C:\Windows\system32\Bkhhhd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\Windows\SysWOW64\Bgoime32.exe
      C:\Windows\system32\Bgoime32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\SysWOW64\Bniajoic.exe
        
        C:\Windows\system32\Bniajoic.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
      - C:\Windows\SysWOW64\Bgaebe32.exe
        
        C:\Windows\system32\Bgaebe32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Bnknoogp.exe
        
        C:\Windows\system32\Bnknoogp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
        
        C:\Windows\SysWOW64\Bchfhfeh.exe
        
        C:\Windows\system32\Bchfhfeh.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Bqlfaj32.exe
        
        C:\Windows\system32\Bqlfaj32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\SysWOW64\Bbmcibjp.exe
        
        C:\Windows\system32\Bbmcibjp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\SysWOW64\Bigkel32.exe
        
        C:\Windows\system32\Bigkel32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Cenljmgq.exe
        
        C:\Windows\system32\Cenljmgq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Cmedlk32.exe
        
        C:\Windows\system32\Cmedlk32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Ckjamgmk.exe
        
        C:\Windows\system32\Ckjamgmk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Cinafkkd.exe
        
        C:\Windows\system32\Cinafkkd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\SysWOW64\Ckmnbg32.exe
        
        C:\Windows\system32\Ckmnbg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\SysWOW64\Cchbgi32.exe
        
        C:\Windows\system32\Cchbgi32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Cjakccop.exe
        
        C:\Windows\system32\Cjakccop.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\Cnmfdb32.exe
        
        C:\Windows\system32\Cnmfdb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Djdgic32.exe
        
        C:\Windows\system32\Djdgic32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dmbcen32.exe
        
        C:\Windows\system32\Dmbcen32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\Dpapaj32.exe
        
        C:\Windows\system32\Dpapaj32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 144
        23⤵
        Loads dropped DLL
        Program crash
        
        PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adnpkjde.exe

Filesize
94KB

MD5
154119d7c7307f7cad069bb50f7eee15

SHA1
d60e1147e55f8afcfb9f58cce149a85726f8c7fc

SHA256
9ddc73443b0f1801b8a805e51adbe20fe0f49a9a192596f6f94b7e75dc0ef8cd

SHA512
93be1575a4996159a3465b056f12a35d0090f07ed3557a685f384b4bc141d49ae8b654f02650742c6a8819b189ac54cc6e5c90622bdcf1580cf337f60dddbf9f

Download Submit
C:\Windows\SysWOW64\Bkhhhd32.exe

Filesize
94KB

MD5
10ebc25401213231ecf524c6c7208ee9

SHA1
84d72329da13383a16d62b2824f96f018bdb335c

SHA256
b4ef074519a5da0a4c02023e9fa24b7d9beb54a44aafbb55564b0d873800e5d6

SHA512
5d0a5f887f424409a46b500260d0be0d8de17647fca054f2f7d3d49e3cbef642e70429fe1bd2d39fb2d2323f22a4ca6f3d0bec53a7f528686b1d86433de26982

Download Submit
C:\Windows\SysWOW64\Cjakccop.exe

Filesize
94KB

MD5
bf440fb3c0820702370da261965188b5

SHA1
4a0df27044a77ce4cd6e1da9af0069922e6abc7c

SHA256
f280891f87677c2a1717926f15a270872f547445ddcfb03805be0b19c527fb70

SHA512
d46254c1ea171b5a4d4d3b11498a638abc27cc746a081e250cf77606ecdf93d783cef2f756781b684e0630d05f125089f7d234269c68b3d78f84e870ddf3aebb

Download Submit
C:\Windows\SysWOW64\Ckjamgmk.exe

Filesize
94KB

MD5
96eb71225d8f163f9d7e442574da2902

SHA1
77235a6ad1cef66eacf73e8af9eb4c818b9b9ef8

SHA256
1cd48c22091cd3168210a4740a55ad3508f1daed887739c9941b117320338144

SHA512
72b72c8ee52ff7f8e3b1a4b6e77a2dde3f2c270d27f69385a083ae460de754e250647ea5b46e807d0f01fb6d725ec832af29e221aff96ca8e650ba71aeeec018

Download Submit
C:\Windows\SysWOW64\Cmedlk32.exe

Filesize
94KB

MD5
07f71443ee412990befe2b75d48d3a36

SHA1
62788dc8737f2822963a5003a8ecb4a44f7bbdd7

SHA256
d62754fbc24eaae99af1809467b480a1c23ff04e6147511e5989739cc6e60e47

SHA512
2c1f83a30753ab5b3c42ea1de090ed42c79b023721569eac160f4fc9487fbda55973e53553b985774fa2da4e0a0b71a7f3ddc228b7a6a65b5fde6ee4d6840de7

Download Submit
C:\Windows\SysWOW64\Cnmfdb32.exe

Filesize
94KB

MD5
9b3db9ea44e0ae0663b2db8406a1f16a

SHA1
45f543a63e4fdd733632253d768c2d4b9975c419

SHA256
a83e9f6c91bf52600c82d25bcdc0bb4de7c51bec1839662704f6d3dc5730fb4e

SHA512
640b0301be2d1a6dbcf4ed8f68c3e27a5747eccade703dcd856a663e4d872c96cb7a6180d59d6e56ef0179f612e975b4d1be2a7a08ca40039773d9fd0ee6736c

Download Submit
C:\Windows\SysWOW64\Djdgic32.exe

Filesize
94KB

MD5
588325a662440e000759d39336275480

SHA1
ef0101894d8a7ee9c27fc623f2735b27d6896053

SHA256
d0fc6f29aca37a93d24bdc2a9e00b012f699aa0652f5cbd273c17aa78c17fa5b

SHA512
3e5157847a9512fcb23a0b5850a1e347a6ea03ce5dfcf25d80b5f5d0a21bdceb4d3081f8b72474aa1b837def8f564cec03052db8d6b6497ecf4f4966339801ad

Download Submit
C:\Windows\SysWOW64\Dmbcen32.exe

Filesize
94KB

MD5
3dd8e42ca90488af1e6cc1d39e6663fa

SHA1
173cb63cb74db53a76f5ba0d392e8c1fdb313110

SHA256
7812b1c8a3110636bf7c840f6c04a7d581d3e748c44168d26dd83f3fc9a8100d

SHA512
2adbf9c141714198885643390813f7493d143db83909b60cfd99861d08e70d6a856f8cd73354f324f03872fb307a15228a482766e28e6f2493570d06a5f3b00d

Download Submit
C:\Windows\SysWOW64\Dpapaj32.exe

Filesize
94KB

MD5
82062750694e7b490fbc4813c743def7

SHA1
6cf546d0ddb8d1850c8e9533801617d87f7059f1

SHA256
e26e958e10fdaaca92abcb127fb094846f5833b6b26e3ab20437707536152ebf

SHA512
5fd86a4a0df373fffa438fa105a8e0c7e31b9215d7d6994dad332886d877d320ea039beb3f48e09da31fd5955d604ff5dad6af9fa59600faea20194068d4289e

Download Submit
\Windows\SysWOW64\Bbmcibjp.exe

Filesize
94KB

MD5
a8538d25038521b040838bb7e232c661

SHA1
f5f376b9febb724f03163dae3e70233e4e86f938

SHA256
ca27a5da6e9524f363de57e5e99d485c3df9ab9b3ffa2c1c0d8fb39d2e64a0cb

SHA512
132946a6a0fa96bb281acc394d8ba7f02cd369e774ec6bcbf7f4eac94da4d31a039828a1f5096d996febc943cc23b15081cc7ba2156912755012e7836e7ee537

Download Submit
\Windows\SysWOW64\Bchfhfeh.exe

Filesize
94KB

MD5
85d35759a2e81b3fcf58d3736ee876c4

SHA1
06fec88b97c5d6c24b6aea9f43ca5e96a430c3ac

SHA256
5a3f71d7ac3e372efd576ebaac3332ded541680271bbab937c5b3bc3dfc78d7e

SHA512
5f4a734c343c3cdafb4717ead7b29b8fa80d006cb577099f9b8a977fdeb8f97573594694b762e33e6110352c8bdda16d31e4fc0739dd2fa42a78370778ebe904

Download Submit
\Windows\SysWOW64\Bgaebe32.exe

Filesize
94KB

MD5
3e144b0eb44173fe5d09098cb6533b86

SHA1
6d1c754ab6dad23c9ad9facc8ed2956d253dccfd

SHA256
a778e29b205e8785a2941a8e248f1e45b462ec16984ececb1d997fcf7b090789

SHA512
bf6cfc67882fe29690de99d4b6c35aa57ffd5e084f3f5a3c4cc4aa543a1f26de06b6e84c81c8f99525a8fc88e895fa01b575dacd52c2af3a275ee6571304fd7f

Download Submit
\Windows\SysWOW64\Bgoime32.exe

Filesize
94KB

MD5
dd7c8d0bda05a88f4aa547f18df6eb6b

SHA1
3c737a688a564caac81c1ee165fe2af7400f5056

SHA256
454c04c6cc0c89aeb09d139292ac9ec3644db67bea6488552c1ce3983797d40e

SHA512
d573fe8bdb100d85122666be4546823301c2dccb1a2b22f75b453f7c6ed85d09f3fe86b14de2f5d2e37404fcbdd269d286af8001694db2dd11b0cf2536e8934b

Download Submit
\Windows\SysWOW64\Bigkel32.exe

Filesize
94KB

MD5
2a71da64aa43b66aba95df165cee250f

SHA1
7f37634071b0b44ed57e68f728d5619e8849cc88

SHA256
9738cf7691631d46653bf45f653c40751eb1a3ff05ca877cb8b78185af65b40a

SHA512
1dd1e0db0b713f35de8e959ec94e3ac343edd6aba02cefbbc77ebf106c7774b679fbfc6fa824b97dc33d1134dbfcfbea54bba10e8d963e5555d26b3cafc6430d

Download Submit
\Windows\SysWOW64\Bniajoic.exe

Filesize
94KB

MD5
a2e3a4664b428338a2dead329a91cf99

SHA1
0d4e5ce6ab9e93496427ddd36c83c150e3408be8

SHA256
9c1415970d4dd075b3767f12282bbca7907392c5d4653bfd6489f79f04cbf57d

SHA512
86d3e57c6bb0b7f8dddb075c62606b9e86a7463330991bf19d1fec92f27347bd29962d03284a7d4c7042b5316e64a0ef4eab6d68f631fc971502acb04380b4f6

Download Submit
\Windows\SysWOW64\Bnknoogp.exe

Filesize
94KB

MD5
a20de65ce7d9b2b4b5241306a9d419ff

SHA1
17924a57be5bcd58ef9a43773ecf16858f8033a6

SHA256
906f38a22ad14089fa0c38e708ce3f285507c54c58e33973b60056b47feaf044

SHA512
f3b62170defe5fc47ac2f49add0f05108aa686ce2d23b72e67a6fce15d1843156462dcfce1ae71e0e60230fa2f4eb1675470946970a2168e027856f017c1d49a

Download Submit
\Windows\SysWOW64\Bqlfaj32.exe

Filesize
94KB

MD5
9a17cbc4dcf741d7063e448bd1ce16f8

SHA1
e452c23f3243d0fcd36978a963fc624e089196c1

SHA256
d93bd974cff0cd47d067d35a26520299933e3e047b24f8660ebed3fa2de68567

SHA512
64c495b88d1ef0945a2761826deb510e43c01de2db0e8edaa23e24511302aa2a8faa0108c4f08d7d70c9dce3e2888797d2dbf234a8856322daa56b097d5e2115

Download Submit
\Windows\SysWOW64\Cchbgi32.exe

Filesize
94KB

MD5
bd32ca73ffea531e6a1edbe81b710bc1

SHA1
128816ea5f9ae23563b6ad67dbff9d01d45b1e8e

SHA256
c60379daa1ec3dcbcc74fab1fb90b658c23bf6442769a6fac79c009685e10332

SHA512
724fa91adf13703ea32bf098e36844e37eef551fbb5119f4021b60c944c705c05ada1d2f0dbe29f2f5ebc6cd1f37b3a8e89d013f774ef27677a004234077c3a7

Download Submit
\Windows\SysWOW64\Cenljmgq.exe

Filesize
94KB

MD5
8faabab750989fb7bc9e1ca4c345a025

SHA1
d8ed61ad3f75aa9ad53f89fd118835e5be0964de

SHA256
e629489dc55a59276447172b962723125e25b9ec01024243f0faf60dc3edae1c

SHA512
171f06aca803a4b4a86bda82209fa8dc2ac804ecb91f54bc147c1f19a98f3c76d611588e74ae6e37fbe77b64649a6040ec56b931b43ee07fe2ee079bc210bcd1

Download Submit
\Windows\SysWOW64\Cinafkkd.exe

Filesize
94KB

MD5
b1d56d132f1cdb0867694902f2b42c52

SHA1
4891f419036193be510089d8fa107cf38e50c095

SHA256
b880826ef0ee10bf001d2789b4d11d762604964d7b2ac1eaf5fd89a060fb7c2d

SHA512
f24b94acec968af2531302a9d432aff93f91305de66b9f2e5e04d7253458a20866055c2cf3c6766f20b6e2780a8ea82dfaa8889f4b9d46b8fdf29532f7f66f2c

Download Submit
\Windows\SysWOW64\Ckmnbg32.exe

Filesize
94KB

MD5
d635a873b22ebeb3d827e29b1f56f31a

SHA1
ee08141a8d4d4c684a905692a1c297ffe5518c54

SHA256
8c1b3ce49d154bf5e30661f1cb752dcb85103c884ea5c02577be6febb777e362

SHA512
fdc365021c0fdd25fb8cc47741ee32cc0bd346d5efd72f766495fa3a3ed0aeee86914276ca01d8407c2ca298f37181d80477201caac8aefbd637fadf70105674

Download Submit
memory/484-66-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/484-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/484-17-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/912-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/912-290-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/1500-302-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-300-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1656-279-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1656-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1656-299-0x00000000002F0000-0x0000000000331000-memory.dmp

Filesize
260KB

Download
memory/1708-129-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-141-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1708-182-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1708-189-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/1716-278-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-283-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1716-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1716-244-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1716-249-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1748-173-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1748-172-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1748-163-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-220-0x0000000001F90000-0x0000000001FD1000-memory.dmp

Filesize
260KB

Download
memory/1888-271-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1888-270-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1888-276-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/1888-236-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2028-234-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2028-184-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2028-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-190-0x00000000003B0000-0x00000000003F1000-memory.dmp

Filesize
260KB

Download
memory/2028-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2208-266-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2208-297-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-294-0x0000000000250000-0x0000000000291000-memory.dmp

Filesize
260KB

Download
memory/2216-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2216-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-156-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2304-204-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2304-206-0x0000000000260000-0x00000000002A1000-memory.dmp

Filesize
260KB

Download
memory/2304-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2304-203-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2320-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-46-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2408-53-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2408-98-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-88-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2480-34-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2480-26-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-113-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2536-121-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2536-126-0x0000000000290000-0x00000000002D1000-memory.dmp

Filesize
260KB

Download
memory/2536-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-97-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2584-111-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2584-170-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2584-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-90-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2596-96-0x00000000002D0000-0x0000000000311000-memory.dmp

Filesize
260KB

Download
memory/2596-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2596-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2704-80-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-61-0x0000000000280000-0x00000000002C1000-memory.dmp

Filesize
260KB

Download
memory/2788-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2948-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-214-0x00000000005E0000-0x0000000000621000-memory.dmp

Filesize
260KB

Download
memory/2956-259-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2956-207-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads