466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Size

96KB
MD5

704b21d1e8625798a532540be684a8d6
SHA1

cfb59fa7860a253e2f759205b811435eb0f9e2a0
SHA256

466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a
SHA512

c6519a7e0558c752606f9b6954c406295f53518060ee038b89ecf8fefe72718277568d274aea08fb75946e427a341fb3f4ee8eff79441b7be271662482bc3d19
SSDEEP

1536:Lfat92ro00LEiN0wXnpiuqwbpdrJ0G3jb/duV9jojTIvjrH:Lit9ylwxXVdrJt33/d69jc0vf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddllkbf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdimqm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Akdilipp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnaaib32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baegibae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dpkmal32.exe

Executes dropped EXE 25 IoCs

pid	Process
1516	Akdilipp.exe
2556	Bklomh32.exe
3404	Baegibae.exe
4636	Bgbpaipl.exe
4856	Bnlhncgi.exe
1768	Bpkdjofm.exe
3056	Bhblllfo.exe
5052	Bkphhgfc.exe
3808	Bajqda32.exe
3984	Cdimqm32.exe
3048	Cggimh32.exe
924	Cnaaib32.exe
5008	Cdkifmjq.exe
2356	Cgifbhid.exe
4380	Cncnob32.exe
1632	Ckgohf32.exe
2820	Cpdgqmnb.exe
1284	Cgnomg32.exe
5060	Coegoe32.exe
3232	Cpfcfmlp.exe
3864	Cnjdpaki.exe
4848	Dddllkbf.exe
2032	Dgcihgaj.exe
4320	Dpkmal32.exe
2008	Dkqaoe32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dkbnla32.dll	Bpkdjofm.exe
File opened for modification	C:\Windows\SysWOW64\Cdimqm32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Ckgohf32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Dpkmal32.exe	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Bhblllfo.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Coegoe32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Fomnhddq.dll	Coegoe32.exe
File opened for modification	C:\Windows\SysWOW64\Dddllkbf.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Bpkdjofm.exe	Bnlhncgi.exe
File opened for modification	C:\Windows\SysWOW64\Bhblllfo.exe	Bpkdjofm.exe
File created	C:\Windows\SysWOW64\Cgnomg32.exe	Cpdgqmnb.exe
File opened for modification	C:\Windows\SysWOW64\Akdilipp.exe	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
File created	C:\Windows\SysWOW64\Bgbpaipl.exe	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Bnlhncgi.exe	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Bkphhgfc.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Cklgfgfg.dll	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Cncnob32.exe	Cgifbhid.exe
File opened for modification	C:\Windows\SysWOW64\Cgnomg32.exe	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Cpfcfmlp.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Bkamodje.dll	Bklomh32.exe
File opened for modification	C:\Windows\SysWOW64\Dkqaoe32.exe	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File opened for modification	C:\Windows\SysWOW64\Bajqda32.exe	Bkphhgfc.exe
File created	C:\Windows\SysWOW64\Kolfbd32.dll	Bajqda32.exe
File created	C:\Windows\SysWOW64\Cnaaib32.exe	Cggimh32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Dpkmal32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Dddllkbf.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Lelgfl32.dll	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Fgijpe32.dll	Baegibae.exe
File opened for modification	C:\Windows\SysWOW64\Bpkdjofm.exe	Bnlhncgi.exe
File created	C:\Windows\SysWOW64\Cdimqm32.exe	Bajqda32.exe
File created	C:\Windows\SysWOW64\Aqjpajgi.dll	Cncnob32.exe
File opened for modification	C:\Windows\SysWOW64\Cpfcfmlp.exe	Coegoe32.exe
File created	C:\Windows\SysWOW64\Bljlpjaf.dll	Akdilipp.exe
File created	C:\Windows\SysWOW64\Cpdgqmnb.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Omjbpn32.dll	Dgcihgaj.exe
File created	C:\Windows\SysWOW64\Jlobem32.dll	Cdimqm32.exe
File created	C:\Windows\SysWOW64\Ijilflah.dll	Cpdgqmnb.exe
File created	C:\Windows\SysWOW64\Qkhnbpne.dll	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
File created	C:\Windows\SysWOW64\Bnlhncgi.exe	Bgbpaipl.exe
File created	C:\Windows\SysWOW64\Ckgohf32.exe	Cncnob32.exe
File created	C:\Windows\SysWOW64\Bklomh32.exe	Akdilipp.exe
File created	C:\Windows\SysWOW64\Ehojko32.dll	Bgbpaipl.exe
File opened for modification	C:\Windows\SysWOW64\Cgifbhid.exe	Cdkifmjq.exe
File opened for modification	C:\Windows\SysWOW64\Cpdgqmnb.exe	Ckgohf32.exe
File created	C:\Windows\SysWOW64\Akdilipp.exe	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
File opened for modification	C:\Windows\SysWOW64\Cdkifmjq.exe	Cnaaib32.exe
File opened for modification	C:\Windows\SysWOW64\Cnjdpaki.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Bkphhgfc.exe	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Gpojkp32.dll	Bhblllfo.exe
File created	C:\Windows\SysWOW64\Cdkifmjq.exe	Cnaaib32.exe
File created	C:\Windows\SysWOW64\Cpfoag32.dll	Ckgohf32.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cgnomg32.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Ennamn32.dll	Cpfcfmlp.exe
File created	C:\Windows\SysWOW64\Baegibae.exe	Bklomh32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Dddllkbf.exe
File created	C:\Windows\SysWOW64\Nalhik32.dll	Cnjdpaki.exe
File opened for modification	C:\Windows\SysWOW64\Cggimh32.exe	Cdimqm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnaaib32.exe	Cggimh32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2320	2008	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkphhgfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cggimh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnaaib32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfcfmlp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnlhncgi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgnomg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cncnob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpkdjofm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdimqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckgohf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddllkbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgbpaipl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bajqda32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdkifmjq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpkmal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhblllfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baegibae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgifbhid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpdgqmnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akdilipp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgbpaipl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bgbpaipl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfoag32.dll"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpdgqmnb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll"	Baegibae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll"	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkidpke.dll"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ckgohf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomnhddq.dll"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll"	Akdilipp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bkphhgfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Dpkmal32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnlhncgi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bhblllfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll"	Cggimh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cpfcfmlp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdkifmjq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ckgohf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilflah.dll"	Cpdgqmnb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmamhbhe.dll"	Cgnomg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnlhncgi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnaaib32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cncnob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgnomg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddllkbf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjbpn32.dll"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkamodje.dll"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baegibae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cncnob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bpkdjofm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cggimh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll"	Bkphhgfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll"	Bajqda32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bajqda32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll"	Cdimqm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cgifbhid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cpfcfmlp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dpkmal32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkhnbpne.dll"	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehojko32.dll"	Bgbpaipl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4804 wrote to memory of 1516	4804	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe	90
PID 4804 wrote to memory of 1516	4804	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe	90
PID 4804 wrote to memory of 1516	4804	466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe	90
PID 1516 wrote to memory of 2556	1516	Akdilipp.exe	91
PID 1516 wrote to memory of 2556	1516	Akdilipp.exe	91
PID 1516 wrote to memory of 2556	1516	Akdilipp.exe	91
PID 2556 wrote to memory of 3404	2556	Bklomh32.exe	92
PID 2556 wrote to memory of 3404	2556	Bklomh32.exe	92
PID 2556 wrote to memory of 3404	2556	Bklomh32.exe	92
PID 3404 wrote to memory of 4636	3404	Baegibae.exe	93
PID 3404 wrote to memory of 4636	3404	Baegibae.exe	93
PID 3404 wrote to memory of 4636	3404	Baegibae.exe	93
PID 4636 wrote to memory of 4856	4636	Bgbpaipl.exe	94
PID 4636 wrote to memory of 4856	4636	Bgbpaipl.exe	94
PID 4636 wrote to memory of 4856	4636	Bgbpaipl.exe	94
PID 4856 wrote to memory of 1768	4856	Bnlhncgi.exe	95
PID 4856 wrote to memory of 1768	4856	Bnlhncgi.exe	95
PID 4856 wrote to memory of 1768	4856	Bnlhncgi.exe	95
PID 1768 wrote to memory of 3056	1768	Bpkdjofm.exe	96
PID 1768 wrote to memory of 3056	1768	Bpkdjofm.exe	96
PID 1768 wrote to memory of 3056	1768	Bpkdjofm.exe	96
PID 3056 wrote to memory of 5052	3056	Bhblllfo.exe	98
PID 3056 wrote to memory of 5052	3056	Bhblllfo.exe	98
PID 3056 wrote to memory of 5052	3056	Bhblllfo.exe	98
PID 5052 wrote to memory of 3808	5052	Bkphhgfc.exe	99
PID 5052 wrote to memory of 3808	5052	Bkphhgfc.exe	99
PID 5052 wrote to memory of 3808	5052	Bkphhgfc.exe	99
PID 3808 wrote to memory of 3984	3808	Bajqda32.exe	100
PID 3808 wrote to memory of 3984	3808	Bajqda32.exe	100
PID 3808 wrote to memory of 3984	3808	Bajqda32.exe	100
PID 3984 wrote to memory of 3048	3984	Cdimqm32.exe	101
PID 3984 wrote to memory of 3048	3984	Cdimqm32.exe	101
PID 3984 wrote to memory of 3048	3984	Cdimqm32.exe	101
PID 3048 wrote to memory of 924	3048	Cggimh32.exe	102
PID 3048 wrote to memory of 924	3048	Cggimh32.exe	102
PID 3048 wrote to memory of 924	3048	Cggimh32.exe	102
PID 924 wrote to memory of 5008	924	Cnaaib32.exe	103
PID 924 wrote to memory of 5008	924	Cnaaib32.exe	103
PID 924 wrote to memory of 5008	924	Cnaaib32.exe	103
PID 5008 wrote to memory of 2356	5008	Cdkifmjq.exe	104
PID 5008 wrote to memory of 2356	5008	Cdkifmjq.exe	104
PID 5008 wrote to memory of 2356	5008	Cdkifmjq.exe	104
PID 2356 wrote to memory of 4380	2356	Cgifbhid.exe	105
PID 2356 wrote to memory of 4380	2356	Cgifbhid.exe	105
PID 2356 wrote to memory of 4380	2356	Cgifbhid.exe	105
PID 4380 wrote to memory of 1632	4380	Cncnob32.exe	106
PID 4380 wrote to memory of 1632	4380	Cncnob32.exe	106
PID 4380 wrote to memory of 1632	4380	Cncnob32.exe	106
PID 1632 wrote to memory of 2820	1632	Ckgohf32.exe	108
PID 1632 wrote to memory of 2820	1632	Ckgohf32.exe	108
PID 1632 wrote to memory of 2820	1632	Ckgohf32.exe	108
PID 2820 wrote to memory of 1284	2820	Cpdgqmnb.exe	109
PID 2820 wrote to memory of 1284	2820	Cpdgqmnb.exe	109
PID 2820 wrote to memory of 1284	2820	Cpdgqmnb.exe	109
PID 1284 wrote to memory of 5060	1284	Cgnomg32.exe	110
PID 1284 wrote to memory of 5060	1284	Cgnomg32.exe	110
PID 1284 wrote to memory of 5060	1284	Cgnomg32.exe	110
PID 5060 wrote to memory of 3232	5060	Coegoe32.exe	111
PID 5060 wrote to memory of 3232	5060	Coegoe32.exe	111
PID 5060 wrote to memory of 3232	5060	Coegoe32.exe	111
PID 3232 wrote to memory of 3864	3232	Cpfcfmlp.exe	112
PID 3232 wrote to memory of 3864	3232	Cpfcfmlp.exe	112
PID 3232 wrote to memory of 3864	3232	Cpfcfmlp.exe	112
PID 3864 wrote to memory of 4848	3864	Cnjdpaki.exe	114

C:\Users\Admin\AppData\Local\Temp\466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe
"C:\Users\Admin\AppData\Local\Temp\466c5e1c4a4074b27ec9e0643af22611f1cab311bfef6564055c85d52297409a.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804
- C:\Windows\SysWOW64\Akdilipp.exe
  C:\Windows\system32\Akdilipp.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\SysWOW64\Bklomh32.exe
    C:\Windows\system32\Bklomh32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\SysWOW64\Baegibae.exe
      C:\Windows\system32\Baegibae.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3404
    - - C:\Windows\SysWOW64\Bgbpaipl.exe
        
        C:\Windows\system32\Bgbpaipl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
      - C:\Windows\SysWOW64\Bnlhncgi.exe
        
        C:\Windows\system32\Bnlhncgi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Bhblllfo.exe
        
        C:\Windows\system32\Bhblllfo.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Bkphhgfc.exe
        
        C:\Windows\system32\Bkphhgfc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Bajqda32.exe
        
        C:\Windows\system32\Bajqda32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Cdimqm32.exe
        
        C:\Windows\system32\Cdimqm32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\SysWOW64\Cggimh32.exe
        
        C:\Windows\system32\Cggimh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Cnaaib32.exe
        
        C:\Windows\system32\Cnaaib32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Cdkifmjq.exe
        
        C:\Windows\system32\Cdkifmjq.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\SysWOW64\Cgifbhid.exe
        
        C:\Windows\system32\Cgifbhid.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\SysWOW64\Cncnob32.exe
        
        C:\Windows\system32\Cncnob32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Ckgohf32.exe
        
        C:\Windows\system32\Ckgohf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Cpdgqmnb.exe
        
        C:\Windows\system32\Cpdgqmnb.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Cgnomg32.exe
        
        C:\Windows\system32\Cgnomg32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dpkmal32.exe
        
        C:\Windows\system32\Dpkmal32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 432
        27⤵
        Program crash
        
        PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2008 -ip 2008
1⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4264,i,10065386245627775856,6567048529106473151,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
1⤵
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Akdilipp.exe

Filesize
96KB

MD5
b1c46c365c08de7d166b7189ef2c8a3a

SHA1
6390f3fbd9a622dc5031f9b0896bb404e503a02f

SHA256
6aa9853c4e6468ca146acec527ef6002d81e488b70dc740295fb96a8d9312b0f

SHA512
788281ee709b5f292a28ee6f4288080ebe731c4ee352743beecc2f82e4cc2e98e7f9ebb5a0701f30e3c89ce4bec315448f2d777363cc88c3b4663c8085d7cf1a

Download Submit
C:\Windows\SysWOW64\Baegibae.exe

Filesize
96KB

MD5
477bff7f6a6ca97d4328bf2340b80cd7

SHA1
612fb2f795591a5f83261a29111c751fdf9fd27b

SHA256
d0cc23d38d5c8f622d1c0644c2d7c13016919b6afef7fe20519173d572622eae

SHA512
377ccc0471e4fd27429b772ccb3254b07ce3376d0329c1ca2bb25baa10a11e299909410f982d1336e43be0632eb2bf8f13e289bd74c1d5a27a203a9356307531

Download Submit
C:\Windows\SysWOW64\Bajqda32.exe

Filesize
96KB

MD5
dc9e87bc88b51a30ba3ab0600749a782

SHA1
032ce1d4701a9ff5bf884f1b53a2f3c74c0e65fe

SHA256
40e84ec1010a0be292fd3de7225d4cf9fa2bc9c1877e1a521568bd70a0d45b75

SHA512
e78ca37088205af5b2b67a32cd43cf1a60c1f956a4a96b3d086bf7ed3b32cc10199abe9d8230bf9fbf60a2150ef8134ce3a90d64ba2e964484b96b88a8c6a4e5

Download Submit
C:\Windows\SysWOW64\Bgbpaipl.exe

Filesize
96KB

MD5
fc1365d6e1180f55a9b8d3135adee5e5

SHA1
48c3ccd3307cf82fbc8797181ba139294d6a742e

SHA256
780679a0ed3b28157f8346bf8ebb9d2eaac7bcc02f3db262049b959d775a2137

SHA512
f4f139594b774a8c54047a949385a48a6e8cbbd2e970d521a21287101ff258592d0f92dc4a6af9aaae1997fbe8b647161933d89e2b3362259a218f033785f515

Download Submit
C:\Windows\SysWOW64\Bhblllfo.exe

Filesize
96KB

MD5
29cd362927727b7b72638c4f16c98e34

SHA1
2201aa6f92372bbabb58ebdb9145b0e4de8baf45

SHA256
da0fcec5cfcc8af013b87fb73e52327e7cf7c20db9bcf78a5b860759bfe89135

SHA512
401187c56e595ce29613b6f3ee1efa0de3f91f7aa84795077972d278c43021e54df4664d9f15eb7d167ce1fe3bb23bc9daa3b37317c3f8b83c63e73f4b48d41c

Download Submit
C:\Windows\SysWOW64\Bklomh32.exe

Filesize
96KB

MD5
9d4bcf8d38bc46d51a625cfeb518a208

SHA1
b5f3abf42b7639ab7b1e5348473a75119019a2bd

SHA256
4e79982a7c2d6e0d0eeb84da94be4cf03cb256f6bb48324f7f733ecb2eb6dd44

SHA512
f4c8180d661f08a905af2a2796e732c38f237edd3f8ca16652b3f3c4f5780f29320f86112bce6193d33358c766241607de843982bc188cf605681a14cc79565d

Download Submit
C:\Windows\SysWOW64\Bkphhgfc.exe

Filesize
96KB

MD5
f53243e7d56147c535365cf2b82b0984

SHA1
f2df23062baa76b087caacfb5be75cee210e405e

SHA256
851d97c4de7ceebefc21573ab8b9939ee551ea30cc343ab0abb3b6f181cf72d5

SHA512
1e14d40a64988b4a1f6004159bd9b5ba02e367e10baa70e7e14c63d8241a4614ebfeadd1ae30175bd73abb36a15554925ac901063937b7475549ff90527fa275

Download Submit
C:\Windows\SysWOW64\Bnlhncgi.exe

Filesize
96KB

MD5
65bdf6bbed72062d2c761105e550b627

SHA1
62fd9ccf492544c6d39e3e8865b98caed536f08c

SHA256
4550c4f2a62d979b8ee99de4b4ad8c32f701a227764832601cc8db6c4885a96c

SHA512
dd5edac15a53972e64add617c79d58e0d3e927ad046596e98b60211a0b72adca3fd59ba8c45d4bca5bc46ca7d3ba208fd854b76f41b1e815a9c2ccff4cdca2b9

Download Submit
C:\Windows\SysWOW64\Bpkdjofm.exe

Filesize
96KB

MD5
259cc7671fde069420cb4ba6d281d251

SHA1
c0269424333f9e4c6f39cc072ca70d7b09e868ad

SHA256
ce323247665a57289874e00b8d95e3e5e2ad01970caae57da6f958bcefb4e6c9

SHA512
12bb060b7f09c639ce6da3425374a93fba86adddd0fc490a470713fd047a0dda5fcf4d157f8c364d94a1879710cea3207946182ad2db0858db44ccedadd999b7

Download Submit
C:\Windows\SysWOW64\Cdimqm32.exe

Filesize
96KB

MD5
1608674240df7fc288ee427405bb5de9

SHA1
ddb42647d0aa674f0ed0b16eab63bbdbf47fefc7

SHA256
f38010e8fc88175bd21481be836947eabcd34aace82b764d26d39dd5304f87f0

SHA512
4f6ff5a77a4966c8e992939d5c5e160cdfacee225f0db5d9bc6d64cdf04f7e47062cd822e5fcbf68ebcb979d19d4866b7396d1c71fae43bbfea16c87d1d0f43e

Download Submit
C:\Windows\SysWOW64\Cdkifmjq.exe

Filesize
96KB

MD5
24bcb146dbe6c7bdc451eef331414580

SHA1
6164721801710e6597fa545e6ef3f391e9ea43ab

SHA256
89045f831aeb0a3f2e5626f859b4671fd7411dfdc449210dbd4a67b96b0c57ef

SHA512
0a5425d9243eb2bf4f2ab9c60a3112324425ed0ca3fa0f6ff334a58bdd81f4c5ddf4da1e53f64954c3309b3c8a28dff18ed65e8141b20a8992553ecef8a12fd0

Download Submit
C:\Windows\SysWOW64\Cggimh32.exe

Filesize
96KB

MD5
2b80591a67361b809438c3339386035c

SHA1
127a92278758698fc188c029c001a8933bd25565

SHA256
756a1d8d260eb0099c33ec861bb88dd0f10646a57ccc74ad9fd3fabe7f7de965

SHA512
f13d0e36ad0f654831bd54a738bf80229e8d12f34f211c79401a261138379e8ec104e2d7b2f83aa7f0b35c638269cc653626b8fc9d08c9d8074617cad0d0f61c

Download Submit
C:\Windows\SysWOW64\Cgifbhid.exe

Filesize
96KB

MD5
f8d1479c4449d2b4b26bd76144fe9b29

SHA1
bd30d7cced69032f6da59324dbafb7f0c20dcc39

SHA256
8dd05be33b3dfa111de1948e50c46e0b64cd9276de4c6d8e4ce20edb83b47a2f

SHA512
421aa3e8bc23be1fa802a856bdc25abea81cce8eeed17879d1e89e6c03ea4057b602dfe327b077b7aab72562658676932bbe30349e1bed072569e5c94dd4b63f

Download Submit
C:\Windows\SysWOW64\Cgnomg32.exe

Filesize
96KB

MD5
5bf2c7ce7d09f9b37c411ae186c2d356

SHA1
b235f37033ed5dc01d59949f7dd015b3f24ca98e

SHA256
6535d832000e25f53e0ce10dd2900686e31cd9ee616f27499b80ccff89e05a9c

SHA512
f96a897fb124e07763c362e8e96f7eb872f1152ba3128ca9832667dda4fb14a3ec9ee6da571fdc67f1d6a026f6d030069f5b648f06737672ef63d45bf705ec95

Download Submit
C:\Windows\SysWOW64\Ckgohf32.exe

Filesize
96KB

MD5
d08bc0bd2460cdebefcdadb488e98574

SHA1
bd3c3f1ed80cc6a0cf4a6277ec7a535c1ca5118b

SHA256
0bea301680ad367aa1d2277985f4172bb1b4a1d20ad547a9682a65e8b717f38c

SHA512
9325efc24056629c9d4afde20996b382ef074b5d619f891633ac4aab313fec580ad4fee58a5ce55a3c934b4f74f0293d98ef1933ca046f7e9335b45ff6d1020b

Download Submit
C:\Windows\SysWOW64\Cnaaib32.exe

Filesize
96KB

MD5
60d1f4f140743e817c7ce95a5472e97f

SHA1
9c921c64b01ff3ad2b4b68691b9ba80b01429cc6

SHA256
227cc4cb78061fb409641f16ba1388a2423bf9340e69a913b5a0129665f675af

SHA512
cdc53705a76d24089c9973b8c8607d9087eafe317766de39fe61ce9c12860790c43bb0a89a46ab0739fd684595fa342b445ccd147cd41d435632b7d58bbbbbdd

Download Submit
C:\Windows\SysWOW64\Cncnob32.exe

Filesize
96KB

MD5
a6665a40828ed2ff4af09225de368a98

SHA1
0665c69d10df946d8d0b1efc1646bf5d778d09c1

SHA256
38f8b8f84c699447b424d121599adf437a336021bcff85f85b5b01b747abfb17

SHA512
4a07e1d699f8d621a07cd96933cc392af7078dcfaed49194c42dab821e0c8dd70057a4bf917b6e219fed1f56e4134f94ac5e7d200ca870c3ecb5b400aa8f9031

Download Submit
C:\Windows\SysWOW64\Cnjdpaki.exe

Filesize
96KB

MD5
266c7565707453695d09d5a2bf9d9c64

SHA1
5f8c50508aaeed35c4545be00f0db57b1a3b2b0b

SHA256
52a135c63709da50d2a6b8e42c151aa6c857648c83bcdad1331db01bb197c95d

SHA512
f089ce2df8cdcc800d611860287a41fd0b0ebe8e203c91049622491b66228de95b7e72648ce3725dbbce8a5c65beff3e0d58351396c68a2796b388a56dcfcc5e

Download Submit
C:\Windows\SysWOW64\Coegoe32.exe

Filesize
96KB

MD5
64081e161ad947af110f5a55cbfaeb66

SHA1
3c0c47d11ae7403d26e393ce96e07d7c3b5028a5

SHA256
8109db76a94344f5c73e5401323a21628be66a946a1fa8ddcffbfd2303571e04

SHA512
930e3ae7093b127b0d68f3f020b27c40ce0f24f99aae1a668afb246c86f066d7cf2c2724edc5aab5aba7c7fbf3d9dc319197e4123f59faec4dc9f79719940a08

Download Submit
C:\Windows\SysWOW64\Cpdgqmnb.exe

Filesize
96KB

MD5
61a6df504716f29c4ddae77f50c369d5

SHA1
3c41a7b8a22fdb2615efdb2e016a57b004f06961

SHA256
8bb9e00c0cc72a2f85fcb18c23c1be02c2c3849b4df1ec8e027599ee5628a7e2

SHA512
24c25012449886ab3c3c1a765a2afa9ecaf2939b9ac47d1be1cd1799ff872cad6e813e0d1a5531462ea0664936add4a03ec318e1b29de0b64d613335d22b473f

Download Submit
C:\Windows\SysWOW64\Cpfcfmlp.exe

Filesize
96KB

MD5
f733b915d64a4bb79b7ae42d955ccf19

SHA1
a4180330590e403dde7be0bdc450dd0bc899b680

SHA256
5c665e46d5aac014540ad7d97ddb1499337dd39800db1695dfb4faf763bbd9be

SHA512
4a329180965040fa33d960ca3465d9c5ddf0b6872fcfdf9da68da9e9eb1d4c223cafa373f5ed5d9b9476bca022ba0e89a9f50956c7f0b52ac5e6f02eb96fe00e

Download Submit
C:\Windows\SysWOW64\Dddllkbf.exe

Filesize
96KB

MD5
ad60b66a2ff6d6a5ddc44ae42bef8ec1

SHA1
5f44890b0d58cc55cd2c3a522197b644ac3336b4

SHA256
685139fd9f23c3338bcf336d4fd195548ed9b06c6463451452fdf2f4177733a1

SHA512
dd810d0467da34f24451973245766278661d4e15316e25f7035b6e2cadc85e009b3cc408f567e88bcb457739dace234457c2ca326ee70bc1e3e84c27e43f351d

Download Submit
C:\Windows\SysWOW64\Dgcihgaj.exe

Filesize
96KB

MD5
33cf9edcd7521ea67c44dede583b03be

SHA1
ebaf519bcd9c18cea03acbf77d6745cae0998dc6

SHA256
5833fc229a936d67397d8b78e69b1cc72db9f70c7f8f333a3d29d6222993d1f0

SHA512
670712bdba5d69386d28fad675164cc5c7056d3218320f811cac99386b4b03eed0ed3bae55fead4c1dd7669b712b3c8f12ea7a95578e609cec3d66ed082d8ef2

Download Submit
C:\Windows\SysWOW64\Dkqaoe32.exe

Filesize
96KB

MD5
af3818edf38b73369290acea1e666200

SHA1
7fb05b344afc8b92c9ff1e9f4c4a203df94fba20

SHA256
514d59616ca41b6810caf17ae9d15ac6790e675a28579ba85941f8440321033b

SHA512
794844efd347b1b2c93c3d9adc5ab7d6219c33be11212b1b65964afc1a5f2c09ca2f3229695816ffc07bb4c7c2c213a174ff26cb6b7dd3776f65670123e7ee3e

Download Submit
C:\Windows\SysWOW64\Dpkmal32.exe

Filesize
96KB

MD5
7236d046311df536a41a8a6db88ac68b

SHA1
f53febee00af76c8d2b9ddd0a0836254355d40bd

SHA256
d75f4dd00271f8145ab5a152daeabb5278830a6b493f9337491b282cacd6fa45

SHA512
890665db6180109e420122a0717e110d3be46d4e1afaca5d5525e535acbcfc88c8695803058d01172c2b3abdd20b8581214a2cbc080cf2c4f0f092ffb82e65f4

Download Submit
C:\Windows\SysWOW64\Ehojko32.dll

Filesize
7KB

MD5
116c8571e8dc24fe474d866d91c1a5b9

SHA1
6c4099b199b97fd46c308ce16a2c98a777941e9c

SHA256
c8de0a34bdbefbe6df9e70db9df0cbb6fcbdf0c050f46dd4dc62af2130cbe52c

SHA512
7f5a64dc870e387d341ba082831d0f22f9ea3b09a664910e4e73f2050df7cc48c99e7627199eda1c74a8eb214246664320e3c991f17ce6e3f00fa09a4b6f68bc

Download Submit
memory/924-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/924-96-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-208-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1284-144-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-7-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1516-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-127-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1632-210-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-218-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1768-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-199-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2008-201-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-203-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2032-183-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-212-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2356-112-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2556-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2820-209-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2820-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-215-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3048-88-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-60-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-159-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3232-206-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3404-221-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3404-24-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3808-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3864-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-84-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3984-216-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-191-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4320-202-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-211-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4380-119-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-220-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4636-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-224-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4804-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-176-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4848-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-40-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4856-219-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-104-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5008-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-217-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-207-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5060-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads