1a19227d871e7edaa28b3dd00fe7bc961843407a913b66be59bc45e97cb440f4

Analysis

max time kernel
83s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab23ca9b89224271f6e0bb83e7d45760N.exe
Size

640KB
MD5

ab23ca9b89224271f6e0bb83e7d45760
SHA1

04ceb5357b9e980898052f9821b50f5cef24f802
SHA256

1a19227d871e7edaa28b3dd00fe7bc961843407a913b66be59bc45e97cb440f4
SHA512

1b3b809807ada664aabbc39275e8f506b30ca21b1b6ade990d777274486eedaab3711233bec7144fbce7b7d5371c35a308120de742f33235e57d448187873d7a
SSDEEP

12288:Av07FndXHaINIVIIVy2oIvPKiK13fS2hEYM9RIPk:RJdXHfNIVIIVy2jU13fS2hEYM9RIPk

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 44 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amelne32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhkjp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ackkppma.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ab23ca9b89224271f6e0bb83e7d45760N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biafnecn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pndpajgd.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cilibi32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmlmic32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ab23ca9b89224271f6e0bb83e7d45760N.exe

Executes dropped EXE 22 IoCs

pid	Process
2248	Oopfakpa.exe
3020	Ohhkjp32.exe
2764	Pdaheq32.exe
1984	Pmlmic32.exe
696	Pcibkm32.exe
2924	Piekcd32.exe
2108	Pndpajgd.exe
2096	Qijdocfj.exe
3044	Aaheie32.exe
2868	Ajpjakhc.exe
2284	Ajbggjfq.exe
1420	Ackkppma.exe
1288	Amelne32.exe
1628	Apdhjq32.exe
1076	Bbdallnd.exe
1328	Biafnecn.exe
2144	Bmclhi32.exe
1668	Bdmddc32.exe
616	Bkglameg.exe
2120	Cpceidcn.exe
1616	Cilibi32.exe
1200	Cacacg32.exe

Loads dropped DLL 48 IoCs

pid	Process
2848	ab23ca9b89224271f6e0bb83e7d45760N.exe
2848	ab23ca9b89224271f6e0bb83e7d45760N.exe
2248	Oopfakpa.exe
2248	Oopfakpa.exe
3020	Ohhkjp32.exe
3020	Ohhkjp32.exe
2764	Pdaheq32.exe
2764	Pdaheq32.exe
1984	Pmlmic32.exe
1984	Pmlmic32.exe
696	Pcibkm32.exe
696	Pcibkm32.exe
2924	Piekcd32.exe
2924	Piekcd32.exe
2108	Pndpajgd.exe
2108	Pndpajgd.exe
2096	Qijdocfj.exe
2096	Qijdocfj.exe
3044	Aaheie32.exe
3044	Aaheie32.exe
2868	Ajpjakhc.exe
2868	Ajpjakhc.exe
2284	Ajbggjfq.exe
2284	Ajbggjfq.exe
1420	Ackkppma.exe
1420	Ackkppma.exe
1288	Amelne32.exe
1288	Amelne32.exe
1628	Apdhjq32.exe
1628	Apdhjq32.exe
1076	Bbdallnd.exe
1076	Bbdallnd.exe
1328	Biafnecn.exe
1328	Biafnecn.exe
2144	Bmclhi32.exe
2144	Bmclhi32.exe
1668	Bdmddc32.exe
1668	Bdmddc32.exe
616	Bkglameg.exe
616	Bkglameg.exe
2120	Cpceidcn.exe
2120	Cpceidcn.exe
1616	Cilibi32.exe
1616	Cilibi32.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe
892	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Oopfakpa.exe	ab23ca9b89224271f6e0bb83e7d45760N.exe
File created	C:\Windows\SysWOW64\Lapefgai.dll	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Pndpajgd.exe	Piekcd32.exe
File created	C:\Windows\SysWOW64\Ncmdic32.dll	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Idlgcclp.dll	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Ebjnie32.dll	Ackkppma.exe
File created	C:\Windows\SysWOW64\Bmclhi32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Cpceidcn.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Bkglameg.exe	Bdmddc32.exe
File opened for modification	C:\Windows\SysWOW64\Piekcd32.exe	Pcibkm32.exe
File created	C:\Windows\SysWOW64\Bbdallnd.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Ohhkjp32.exe	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Pdaheq32.exe	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Ajpjakhc.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Ackkppma.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Biafnecn.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Cjnolikh.dll	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Mdqfkmom.dll	Bdmddc32.exe
File created	C:\Windows\SysWOW64\Ohhkjp32.exe	Oopfakpa.exe
File opened for modification	C:\Windows\SysWOW64\Pcibkm32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Piekcd32.exe	Pcibkm32.exe
File opened for modification	C:\Windows\SysWOW64\Aaheie32.exe	Qijdocfj.exe
File created	C:\Windows\SysWOW64\Ajbggjfq.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Pmmani32.dll	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Opacnnhp.dll	Biafnecn.exe
File opened for modification	C:\Windows\SysWOW64\Pmlmic32.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Pcibkm32.exe	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Aaheie32.exe	Qijdocfj.exe
File opened for modification	C:\Windows\SysWOW64\Amelne32.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Bbdallnd.exe	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Biafnecn.exe	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Cpceidcn.exe	Bkglameg.exe
File opened for modification	C:\Windows\SysWOW64\Cilibi32.exe	Cpceidcn.exe
File created	C:\Windows\SysWOW64\Hkhfgj32.dll	Aaheie32.exe
File created	C:\Windows\SysWOW64\Cenaioaq.dll	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Hgpmbc32.dll	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Oopfakpa.exe	ab23ca9b89224271f6e0bb83e7d45760N.exe
File created	C:\Windows\SysWOW64\Pdaheq32.exe	Ohhkjp32.exe
File opened for modification	C:\Windows\SysWOW64\Ackkppma.exe	Ajbggjfq.exe
File created	C:\Windows\SysWOW64\Deokbacp.dll	Bbdallnd.exe
File created	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe
File created	C:\Windows\SysWOW64\Ndmjqgdd.dll	Bkglameg.exe
File created	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Fdlpjk32.dll	Cilibi32.exe
File created	C:\Windows\SysWOW64\Cjakbabj.dll	Pdaheq32.exe
File opened for modification	C:\Windows\SysWOW64\Qijdocfj.exe	Pndpajgd.exe
File created	C:\Windows\SysWOW64\Njelgo32.dll	Amelne32.exe
File created	C:\Windows\SysWOW64\Ikhkppkn.dll	Oopfakpa.exe
File created	C:\Windows\SysWOW64\Plfmnipm.dll	Ohhkjp32.exe
File created	C:\Windows\SysWOW64\Pmlmic32.exe	Pdaheq32.exe
File created	C:\Windows\SysWOW64\Pndpajgd.exe	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajbggjfq.exe	Ajpjakhc.exe
File created	C:\Windows\SysWOW64\Oflcmqaa.dll	ab23ca9b89224271f6e0bb83e7d45760N.exe
File created	C:\Windows\SysWOW64\Paenhpdh.dll	Pmlmic32.exe
File created	C:\Windows\SysWOW64\Ajpjakhc.exe	Aaheie32.exe
File created	C:\Windows\SysWOW64\Amelne32.exe	Ackkppma.exe
File opened for modification	C:\Windows\SysWOW64\Bmclhi32.exe	Biafnecn.exe
File created	C:\Windows\SysWOW64\Cilibi32.exe	Cpceidcn.exe
File opened for modification	C:\Windows\SysWOW64\Cacacg32.exe	Cilibi32.exe
File created	C:\Windows\SysWOW64\Aobcmana.dll	Piekcd32.exe
File opened for modification	C:\Windows\SysWOW64\Apdhjq32.exe	Amelne32.exe
File created	C:\Windows\SysWOW64\Momeefin.dll	Apdhjq32.exe
File opened for modification	C:\Windows\SysWOW64\Bdmddc32.exe	Bmclhi32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
892	1200	WerFault.exe	51

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdaheq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piekcd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajpjakhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajbggjfq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmclhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpceidcn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaheie32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amelne32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbdallnd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkglameg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cilibi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oopfakpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhkjp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmlmic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcibkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pndpajgd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacacg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab23ca9b89224271f6e0bb83e7d45760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qijdocfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ackkppma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apdhjq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biafnecn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmddc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpmbc32.dll"	Cpceidcn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cilibi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdqfkmom.dll"	Bdmddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmani32.dll"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	ab23ca9b89224271f6e0bb83e7d45760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhfgj32.dll"	Aaheie32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apdhjq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biafnecn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bkglameg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajpjakhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajbggjfq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll"	Bmclhi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlpjk32.dll"	Cilibi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmdic32.dll"	Pndpajgd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cenaioaq.dll"	Ajpjakhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll"	Ackkppma.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amelne32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pdaheq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pcibkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piekcd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmjqgdd.dll"	Bkglameg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idlgcclp.dll"	Qijdocfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	ab23ca9b89224271f6e0bb83e7d45760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oflcmqaa.dll"	ab23ca9b89224271f6e0bb83e7d45760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikhkppkn.dll"	Oopfakpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmnipm.dll"	Ohhkjp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbdallnd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenhpdh.dll"	Pmlmic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apdhjq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opacnnhp.dll"	Biafnecn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	ab23ca9b89224271f6e0bb83e7d45760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjakbabj.dll"	Pdaheq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbdallnd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bdmddc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaheie32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll"	Amelne32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ackkppma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qijdocfj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmclhi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpceidcn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	ab23ca9b89224271f6e0bb83e7d45760N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lapefgai.dll"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pcibkm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aobcmana.dll"	Piekcd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pndpajgd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2248	2848	ab23ca9b89224271f6e0bb83e7d45760N.exe	30
PID 2848 wrote to memory of 2248	2848	ab23ca9b89224271f6e0bb83e7d45760N.exe	30
PID 2848 wrote to memory of 2248	2848	ab23ca9b89224271f6e0bb83e7d45760N.exe	30
PID 2848 wrote to memory of 2248	2848	ab23ca9b89224271f6e0bb83e7d45760N.exe	30
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 2248 wrote to memory of 3020	2248	Oopfakpa.exe	31
PID 3020 wrote to memory of 2764	3020	Ohhkjp32.exe	32
PID 3020 wrote to memory of 2764	3020	Ohhkjp32.exe	32
PID 3020 wrote to memory of 2764	3020	Ohhkjp32.exe	32
PID 3020 wrote to memory of 2764	3020	Ohhkjp32.exe	32
PID 2764 wrote to memory of 1984	2764	Pdaheq32.exe	33
PID 2764 wrote to memory of 1984	2764	Pdaheq32.exe	33
PID 2764 wrote to memory of 1984	2764	Pdaheq32.exe	33
PID 2764 wrote to memory of 1984	2764	Pdaheq32.exe	33
PID 1984 wrote to memory of 696	1984	Pmlmic32.exe	34
PID 1984 wrote to memory of 696	1984	Pmlmic32.exe	34
PID 1984 wrote to memory of 696	1984	Pmlmic32.exe	34
PID 1984 wrote to memory of 696	1984	Pmlmic32.exe	34
PID 696 wrote to memory of 2924	696	Pcibkm32.exe	35
PID 696 wrote to memory of 2924	696	Pcibkm32.exe	35
PID 696 wrote to memory of 2924	696	Pcibkm32.exe	35
PID 696 wrote to memory of 2924	696	Pcibkm32.exe	35
PID 2924 wrote to memory of 2108	2924	Piekcd32.exe	36
PID 2924 wrote to memory of 2108	2924	Piekcd32.exe	36
PID 2924 wrote to memory of 2108	2924	Piekcd32.exe	36
PID 2924 wrote to memory of 2108	2924	Piekcd32.exe	36
PID 2108 wrote to memory of 2096	2108	Pndpajgd.exe	37
PID 2108 wrote to memory of 2096	2108	Pndpajgd.exe	37
PID 2108 wrote to memory of 2096	2108	Pndpajgd.exe	37
PID 2108 wrote to memory of 2096	2108	Pndpajgd.exe	37
PID 2096 wrote to memory of 3044	2096	Qijdocfj.exe	38
PID 2096 wrote to memory of 3044	2096	Qijdocfj.exe	38
PID 2096 wrote to memory of 3044	2096	Qijdocfj.exe	38
PID 2096 wrote to memory of 3044	2096	Qijdocfj.exe	38
PID 3044 wrote to memory of 2868	3044	Aaheie32.exe	39
PID 3044 wrote to memory of 2868	3044	Aaheie32.exe	39
PID 3044 wrote to memory of 2868	3044	Aaheie32.exe	39
PID 3044 wrote to memory of 2868	3044	Aaheie32.exe	39
PID 2868 wrote to memory of 2284	2868	Ajpjakhc.exe	40
PID 2868 wrote to memory of 2284	2868	Ajpjakhc.exe	40
PID 2868 wrote to memory of 2284	2868	Ajpjakhc.exe	40
PID 2868 wrote to memory of 2284	2868	Ajpjakhc.exe	40
PID 2284 wrote to memory of 1420	2284	Ajbggjfq.exe	41
PID 2284 wrote to memory of 1420	2284	Ajbggjfq.exe	41
PID 2284 wrote to memory of 1420	2284	Ajbggjfq.exe	41
PID 2284 wrote to memory of 1420	2284	Ajbggjfq.exe	41
PID 1420 wrote to memory of 1288	1420	Ackkppma.exe	42
PID 1420 wrote to memory of 1288	1420	Ackkppma.exe	42
PID 1420 wrote to memory of 1288	1420	Ackkppma.exe	42
PID 1420 wrote to memory of 1288	1420	Ackkppma.exe	42
PID 1288 wrote to memory of 1628	1288	Amelne32.exe	43
PID 1288 wrote to memory of 1628	1288	Amelne32.exe	43
PID 1288 wrote to memory of 1628	1288	Amelne32.exe	43
PID 1288 wrote to memory of 1628	1288	Amelne32.exe	43
PID 1628 wrote to memory of 1076	1628	Apdhjq32.exe	44
PID 1628 wrote to memory of 1076	1628	Apdhjq32.exe	44
PID 1628 wrote to memory of 1076	1628	Apdhjq32.exe	44
PID 1628 wrote to memory of 1076	1628	Apdhjq32.exe	44
PID 1076 wrote to memory of 1328	1076	Bbdallnd.exe	45
PID 1076 wrote to memory of 1328	1076	Bbdallnd.exe	45
PID 1076 wrote to memory of 1328	1076	Bbdallnd.exe	45
PID 1076 wrote to memory of 1328	1076	Bbdallnd.exe	45

C:\Users\Admin\AppData\Local\Temp\ab23ca9b89224271f6e0bb83e7d45760N.exe
"C:\Users\Admin\AppData\Local\Temp\ab23ca9b89224271f6e0bb83e7d45760N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\Oopfakpa.exe
  C:\Windows\system32\Oopfakpa.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\Ohhkjp32.exe
    C:\Windows\system32\Ohhkjp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Windows\SysWOW64\Pdaheq32.exe
      C:\Windows\system32\Pdaheq32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\SysWOW64\Pmlmic32.exe
        
        C:\Windows\system32\Pmlmic32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\SysWOW64\Pcibkm32.exe
        
        C:\Windows\system32\Pcibkm32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\SysWOW64\Piekcd32.exe
        
        C:\Windows\system32\Piekcd32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\SysWOW64\Pndpajgd.exe
        
        C:\Windows\system32\Pndpajgd.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\Qijdocfj.exe
        
        C:\Windows\system32\Qijdocfj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Aaheie32.exe
        
        C:\Windows\system32\Aaheie32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Ajpjakhc.exe
        
        C:\Windows\system32\Ajpjakhc.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Ajbggjfq.exe
        
        C:\Windows\system32\Ajbggjfq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Ackkppma.exe
        
        C:\Windows\system32\Ackkppma.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\Amelne32.exe
        
        C:\Windows\system32\Amelne32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\SysWOW64\Apdhjq32.exe
        
        C:\Windows\system32\Apdhjq32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\SysWOW64\Bbdallnd.exe
        
        C:\Windows\system32\Bbdallnd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\Biafnecn.exe
        
        C:\Windows\system32\Biafnecn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Bmclhi32.exe
        
        C:\Windows\system32\Bmclhi32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Bdmddc32.exe
        
        C:\Windows\system32\Bdmddc32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Bkglameg.exe
        
        C:\Windows\system32\Bkglameg.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\Cpceidcn.exe
        
        C:\Windows\system32\Cpceidcn.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cilibi32.exe
        
        C:\Windows\system32\Cilibi32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\Cacacg32.exe
        
        C:\Windows\system32\Cacacg32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 140
        24⤵
        Loads dropped DLL
        Program crash
        
        PID:892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ackkppma.exe

Filesize
640KB

MD5
61a986bee36aae408cb788110aafa308

SHA1
334a9b9dbaf0d6ce028dbcaee3ad6fc05e041982

SHA256
65e53d07abb63b256de9ec54e92355b3a26c6cde3a58fffed49f2f4a29fd6943

SHA512
a60c1757cf3437e2f5b7b94408b1820fb601b221e1f93b6e262a202c23a2725b033cdff9f578a20bf93ca7ffc4acd9a2cc34754c61a85327ec7ec22873a8af77

Download Submit
C:\Windows\SysWOW64\Apdhjq32.exe

Filesize
640KB

MD5
26d66814169179c6a8a741695772914c

SHA1
69ea1020d1ed7e05a436b88bc6967852047f901d

SHA256
0ffff06f45c9403641c20b6af2eaed133aab5c085e5036f93524e49fb8d0eaec

SHA512
487d11850cad0bc350102f2ba15717b5ff06032f91be880f69bdc5e5d456cc6876f101c07befb1382eca3fa836a0a3647dc7cc351cb73cfb5684536e88c75d0e

Download Submit
C:\Windows\SysWOW64\Bdmddc32.exe

Filesize
640KB

MD5
74b1132fcd5651398c443fa1bfb86e2f

SHA1
4cb1748a33cc14487e22362a3dac0f9797e956fc

SHA256
773fa473ffa1444efafe0f83d271554daa4cfa9d1c8274b9d7cfdf643d8994df

SHA512
39262e3792b2172febe40fab24dc7980afe70095432abcf284c4fcc0de5b3948eb7db26e399c8a41e8d5942160579a264125eaf91806e347432eba2759d4ec0a

Download Submit
C:\Windows\SysWOW64\Bkglameg.exe

Filesize
640KB

MD5
77fca0dca4c7c38bc4ec71211f1e7ebd

SHA1
8e14d8907532e70747aba0cd609590ebfad65346

SHA256
1bcc9cc52da44c8a3c5af25ce4e44b4ddebb85c96bb897fea9d6c09cc2f7d41d

SHA512
c88b391e427a287cdff1ca7ddea25c11a7917789fcc8c35420190edb3f2c0491f1c7b0087ea99cc02674ba39bb73ffbb43b1b1e304075a36ae018f607fd71ae6

Download Submit
C:\Windows\SysWOW64\Bmclhi32.exe

Filesize
640KB

MD5
dc5d3fdadf0aa634c818bc818a20ca8b

SHA1
b4e2e5e314c8b03ccea3092e44700fd8c776bc22

SHA256
49d72c23899dabb9bad15577343e1c13b0f66a8745701f043a077993cb79f824

SHA512
2add65d2b9e401f4cf02f18f21e0eb1056b5b33065681f19b4b6c42340deef311f6226e49754a6daaf377bd1fa57f40f0dd2276a4ba6ac87cbabecb1cfcbeabf

Download Submit
C:\Windows\SysWOW64\Cacacg32.exe

Filesize
640KB

MD5
f73fe7e0fd806da99552ffa5a042c6a4

SHA1
37ec63f8a3e9c212ab6d162d61cad6934ae93baa

SHA256
057a3a7cdc8bb0b2e41fce5c8ffcb26dafd81c78acfcb2d4f252321369ac8ed4

SHA512
92f5ea85b80faff6b2fe230b81b2e517f5b2f15c331372da141f65d4fdc5aa61fc39370cddbc582dc5a196df3c6edbfdcd0bdaf8deccd474c1519a40bdff9400

Download Submit
C:\Windows\SysWOW64\Cilibi32.exe

Filesize
640KB

MD5
b591722f553b803cdf73cb1194e14a95

SHA1
7b61747fe820376cdd037d4b7a68f4b7b1c9e97b

SHA256
eddde82ebb2d901527f7549f8fde37ad9ef81b793ff5c5e591721cd55f847307

SHA512
da55c5cd5a3bf3887e1955e15a187d17ffc19ac3883da6f5eccb44715c95bea0be918f59760d79113ddb1fd6bca548d53cf910aff09d7d6b39570a0500794a24

Download Submit
C:\Windows\SysWOW64\Cpceidcn.exe

Filesize
640KB

MD5
09b031b0e7ec7c42054718b5832f887b

SHA1
21a6d8d5b998273d45b5f2666459e8f35e07887d

SHA256
d8156e8088c7fd4a986769829c22e88a2b3b01c6b78edf2373074ca0793f567d

SHA512
67ba1d15cd3492083c3c4780afc75abfc007148ea90226691e5ff19618310d613626f026f6e1f0a50a2fe4ff759387a208b265d0efead653a28165a69bb9b7b8

Download Submit
C:\Windows\SysWOW64\Ohhkjp32.exe

Filesize
640KB

MD5
2e3e5cf752b0f26118985d00ee38811e

SHA1
69b41d3d892a9bb45baf3bf3e653407df6668a75

SHA256
ea5fe749af42dcd629eb1490e739ea43b8798abc11cab953179f5f373f2cddef

SHA512
3b67df8f7ea90ed487dcaf54e5126c326a1ece18f358929a13b36f2881015e7bb1bac688cddf1d136e684deb2747ddf6fac8468c8944c7dff94a986e447e2b92

Download Submit
C:\Windows\SysWOW64\Oopfakpa.exe

Filesize
640KB

MD5
4149b5f6a5bd80228f08c340e6c2d3e2

SHA1
40f0779c1ee871aee3b8b2fcceb89dcbc756cba4

SHA256
579e0d38d816ec1c7c953537bf29031d474e234f123a2d9dfc7862383ece965c

SHA512
82dd4d1bcd8426eda577e6e82d685db50638949ac868590714580435901e613dd56ca5ce15520f33aa55e0dec102e78e444b140d21cdc511b0fb04c38546d89a

Download Submit
C:\Windows\SysWOW64\Piekcd32.exe

Filesize
640KB

MD5
573734c27fed377728c6584f3a71d5a5

SHA1
08174627cef05cff2d150770ba1605f10bbfa2b6

SHA256
af079955ceec0f96e9e504f78a8beee4a25fd8d8dfe49bf767f62fff2ca6964f

SHA512
349492d07e25c98c943539ff17b0203820ce74dd2e69242e582a3fed4d7c24ee5a8e43b1493181f0b79bdd631ef28b2768f350261ba183395adf6734730289de

Download Submit
C:\Windows\SysWOW64\Qijdocfj.exe

Filesize
640KB

MD5
ac7f7624fad8c1667ac084e77fa6b2eb

SHA1
ca79a5576a8f3d869e5b304a56c76f63cec7aa75

SHA256
4d1b80fc3f24b9f83ef19c449dd4db12cac228452c9717fd46ed2cfb2c3fa64c

SHA512
cfe49aaead4622b9613febb367a475db2b2ee59aa100b931a37b1ee4db017096e8003b71595080b6dac984e9f6d163fad67402f96996019c310a416ab2fe890f

Download Submit
\Windows\SysWOW64\Aaheie32.exe

Filesize
640KB

MD5
5bebe9407c59c5881062605eaa5a1932

SHA1
34fe10ac9ba570611748d2a9b0a093a9293792c5

SHA256
189185c6417434a9cd87604bf59c817ce2f37a5ef9c03c49ac4c6d7e287790ae

SHA512
f941d2aab315826b2be6a4e1c3d6879016f310919016ec635740d0757613ae299c0c515fedd9e48ba067bc0b3641316cfda771b6b3f7555caadf86adc87e2bdf

Download Submit
\Windows\SysWOW64\Ajbggjfq.exe

Filesize
640KB

MD5
342587e763ac7ae516d00987ff975f8b

SHA1
13c4e7d029162f2cb4f07247c103748593b2f918

SHA256
25a116ac7e5c2aaff9b87e9520325c2f3ce64729ccd168cf1032a391740fa492

SHA512
3ab8c216e63a41c1e69a017ca49b45f29600a745b471939bbbc3695c06f15430050c449524eb01664a2e924077499d7ec27bec7377d25e5141276543ba3101d6

Download Submit
\Windows\SysWOW64\Ajpjakhc.exe

Filesize
640KB

MD5
5e85d753c2147bee59a01f05b4411864

SHA1
2a68789967d227b5e657cad4ba422f2c00c2866f

SHA256
b2166f305123b1df56b8f209314333083aa2775f4b34ffb5ef6d72b085252b95

SHA512
b8fee13a18eb074847ac09aa059cbd053acdf0580b461505d38ac0d610807257067eaf4244e6fe15cea18aea38962edbe43fb1b3ebae8be1323268a6b44cdb45

Download Submit
\Windows\SysWOW64\Amelne32.exe

Filesize
640KB

MD5
aec50ccc1ab2deb76b8e78e799e10b7d

SHA1
37b152b98d22900dccc590041bd2a24d6aa9c424

SHA256
1e6ba989c586f9009330dfac365503c38cf866314bd9527a9551d0fbfbd4b3c8

SHA512
5c98db109008f365db1f16532f6c279ae38d54da915093c7e994f6b0e72103ecc672df4a77ce29181aed95decbf2c52bf277b5a8723bda06b809d3cb3f0cae34

Download Submit
\Windows\SysWOW64\Bbdallnd.exe

Filesize
640KB

MD5
2e1c3208325b43787c31c9e8d01cb2a4

SHA1
1a532883e0ef5173c63eba35fa89b07999187fd1

SHA256
e2f7cf41ab138a094fbc4a053606dc1da752e61608ca3f946f6f34ade2bb462d

SHA512
bed06ab42e456d08502d4fa6af8530825f5494609aaca49ef1752fae1ef67faeb3a25b641d078c0e23c08ef80901b270435f05d6c83871db7a8946c72937fbaa

Download Submit
\Windows\SysWOW64\Biafnecn.exe

Filesize
640KB

MD5
8adad842d30babeb693c29550043be42

SHA1
177b3007866b749eb0669d9f24cce47d009d9aa3

SHA256
deb48a3ab263ac38c21158d5e473f1d72432fb226a6f026edd601e5231777f8f

SHA512
c70c80007fe67169e184d08171a06dc7ce280d88ae99d4b00286792f4676864701da42fc0bb0070d13d994af0122eceda3f087a45344059b9bbd73f1e9a359ae

Download Submit
\Windows\SysWOW64\Pcibkm32.exe

Filesize
640KB

MD5
812ae0ad4282c74f66fbbb802fd30c76

SHA1
7a34604ea1010651137c4fe4256d49e61a78a964

SHA256
35936de63034cd1accec6c1fe0f2cf0dabae444fa91c5a91454fabf9160e4adc

SHA512
cbd9dbcac9786c645e400345e77649ff265790464608bc2a22ddfead58db33a57737d30f826293f9a804c289c4a1675ddf04f81bac2b90f7e7e03c9f9adb0d4f

Download Submit
\Windows\SysWOW64\Pdaheq32.exe

Filesize
640KB

MD5
1e7f553481c03a6062e1c7ad2f9122db

SHA1
f94b7b767e5f3c2df3049de3319ca87263051743

SHA256
cdb4bc904b2c28d1fbc6f5e0607e0d6519086061d82254ced6008c42e29b53ce

SHA512
b872fc4f9644d34754ac5c8ef4dd1ee79a0e1e9ae3dfdcc5f559bed0039508110938c3ad5b7a0208a67c67b2e4f96eb96ebb0f93ff2ee6b4a709062eaf2b2363

Download Submit
\Windows\SysWOW64\Pmlmic32.exe

Filesize
640KB

MD5
57e4616c700d5148e5e398a30a27713d

SHA1
9b24b656031529e57b7e5a2fecbc29ab88d80cbf

SHA256
18d51198f08eca189f5ec79769dd53591a590dce49d0a4b33c488e5189eb6cf5

SHA512
aa2bdcc85c57f490ce4242ce7d0c015956ffc4879b1164b1f084f36a8687fc01199c51ec9e083173c0ceae38fd9200efca33459e832fc8525b7fba965675fcb6

Download Submit
\Windows\SysWOW64\Pndpajgd.exe

Filesize
640KB

MD5
ac7fe7ea124dd134cdb5c972f7df791c

SHA1
e9591c1317a89580835011566dbdc975ff2b873f

SHA256
ff41c03348e8e9d70d39e152c2eb380340ff2ff951e042561c3167d01639b9c3

SHA512
b5544d3aadc7c17b500084e86d1fd90b218a0d2db110645284e2d06880c8e5049e5e42e4722e5a6009610a9acea0b1f6c3d9256042f26eec5eb7e9d758937f51

Download Submit
memory/616-264-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/616-263-0x0000000000290000-0x00000000002CE000-memory.dmp

Filesize
248KB

Download
memory/616-254-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/616-309-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-295-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-73-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/696-81-0x00000000002F0000-0x000000000032E000-memory.dmp

Filesize
248KB

Download
memory/1076-210-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-305-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1076-221-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1200-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1200-312-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-181-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1288-193-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/1288-303-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-233-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/1328-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-306-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1328-234-0x0000000000310000-0x000000000034E000-memory.dmp

Filesize
248KB

Download
memory/1420-179-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1420-175-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1420-302-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1420-166-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-286-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1616-311-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-285-0x0000000000260000-0x000000000029E000-memory.dmp

Filesize
248KB

Download
memory/1616-279-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-195-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1628-202-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1628-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-244-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1668-250-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/1668-308-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-294-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1984-63-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/2096-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2096-118-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2096-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-297-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2108-109-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2108-98-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-310-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2120-275-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2120-271-0x00000000005D0000-0x000000000060E000-memory.dmp

Filesize
248KB

Download
memory/2144-235-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2144-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2248-26-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2248-290-0x0000000000270000-0x00000000002AE000-memory.dmp

Filesize
248KB

Download
memory/2248-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-164-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2284-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2284-156-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-49-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2764-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2764-293-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/2848-288-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2848-11-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/2848-12-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/2848-289-0x0000000001F30000-0x0000000001F6E000-memory.dmp

Filesize
248KB

Download
memory/2848-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-146-0x00000000002D0000-0x000000000030E000-memory.dmp

Filesize
248KB

Download
memory/2868-300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2868-138-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-83-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-296-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2924-95-0x0000000000280000-0x00000000002BE000-memory.dmp

Filesize
248KB

Download
memory/3020-28-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3020-36-0x0000000000440000-0x000000000047E000-memory.dmp

Filesize
248KB

Download
memory/3020-291-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3044-132-0x0000000000250000-0x000000000028E000-memory.dmp

Filesize
248KB

Download
memory/3044-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads