c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3c

Analysis

max time kernel
141s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Size

464KB
MD5

b4640ceb983851744e9e4fdda6e45020
SHA1

7790ac4460d3933532dec56951b218cca173324c
SHA256

c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3c
SHA512

dce325f6fd309e1e6a4fad2ec1e80a46c49790f6ea352b56bdd3f04ae6f8846a586ce1129ca0a775c5b1c23055023b0972aeb1f09dfdcdfced4b2a7fc4b31063
SSDEEP

6144:OoUjM7DcddPEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPC:GMEPEVI2C4EVu2JEVcBEVI2C

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckiiiine.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cofaog32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfpdf32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chofhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqjla32.exe

Executes dropped EXE 13 IoCs

pid	Process
2892	Bjfpdf32.exe
2960	Baqhapdj.exe
2832	Bfmqigba.exe
2896	Bgdfjfmi.exe
2796	Ciepkajj.exe
2768	Cobhdhha.exe
1668	Ckiiiine.exe
1700	Cabaec32.exe
1996	Chmibmlo.exe
1332	Cofaog32.exe
2420	Ceqjla32.exe
3056	Chofhm32.exe
1960	Coindgbi.exe

Loads dropped DLL 26 IoCs

pid	Process
1464	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
1464	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
2892	Bjfpdf32.exe
2892	Bjfpdf32.exe
2960	Baqhapdj.exe
2960	Baqhapdj.exe
2832	Bfmqigba.exe
2832	Bfmqigba.exe
2896	Bgdfjfmi.exe
2896	Bgdfjfmi.exe
2796	Ciepkajj.exe
2796	Ciepkajj.exe
2768	Cobhdhha.exe
2768	Cobhdhha.exe
1668	Ckiiiine.exe
1668	Ckiiiine.exe
1700	Cabaec32.exe
1700	Cabaec32.exe
1996	Chmibmlo.exe
1996	Chmibmlo.exe
1332	Cofaog32.exe
1332	Cofaog32.exe
2420	Ceqjla32.exe
2420	Ceqjla32.exe
3056	Chofhm32.exe
3056	Chofhm32.exe

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Pkknia32.dll	Ceqjla32.exe
File created	C:\Windows\SysWOW64\Ohodgb32.dll	Chofhm32.exe
File opened for modification	C:\Windows\SysWOW64\Baqhapdj.exe	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Anfdhfiq.dll	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bfmqigba.exe
File opened for modification	C:\Windows\SysWOW64\Cobhdhha.exe	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Nalmek32.dll	Baqhapdj.exe
File opened for modification	C:\Windows\SysWOW64\Bgdfjfmi.exe	Bfmqigba.exe
File created	C:\Windows\SysWOW64\Iibogmjf.dll	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Elnlcjph.dll	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Djenbd32.dll	Cofaog32.exe
File created	C:\Windows\SysWOW64\Bfmqigba.exe	Baqhapdj.exe
File opened for modification	C:\Windows\SysWOW64\Bfmqigba.exe	Baqhapdj.exe
File opened for modification	C:\Windows\SysWOW64\Chmibmlo.exe	Cabaec32.exe
File opened for modification	C:\Windows\SysWOW64\Cofaog32.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Jchbfbij.dll	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Jqlidcln.dll	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Chofhm32.exe	Ceqjla32.exe
File opened for modification	C:\Windows\SysWOW64\Chofhm32.exe	Ceqjla32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfpdf32.exe	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
File created	C:\Windows\SysWOW64\Ndjhjkfi.dll	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
File created	C:\Windows\SysWOW64\Ciepkajj.exe	Bgdfjfmi.exe
File created	C:\Windows\SysWOW64\Cobhdhha.exe	Ciepkajj.exe
File opened for modification	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File opened for modification	C:\Windows\SysWOW64\Ciepkajj.exe	Bgdfjfmi.exe
File opened for modification	C:\Windows\SysWOW64\Cabaec32.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Mpgoaiep.dll	Cabaec32.exe
File created	C:\Windows\SysWOW64\Cabaec32.exe	Ckiiiine.exe
File created	C:\Windows\SysWOW64\Cofaog32.exe	Chmibmlo.exe
File created	C:\Windows\SysWOW64\Coindgbi.exe	Chofhm32.exe
File created	C:\Windows\SysWOW64\Baqhapdj.exe	Bjfpdf32.exe
File created	C:\Windows\SysWOW64\Hkfggj32.dll	Ciepkajj.exe
File created	C:\Windows\SysWOW64\Ckiiiine.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Ceqjla32.exe	Cofaog32.exe
File created	C:\Windows\SysWOW64\Bjfpdf32.exe	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
File created	C:\Windows\SysWOW64\Ojeffiih.dll	Bfmqigba.exe
File opened for modification	C:\Windows\SysWOW64\Ckiiiine.exe	Cobhdhha.exe
File created	C:\Windows\SysWOW64\Chmibmlo.exe	Cabaec32.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdfjfmi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmibmlo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coindgbi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfpdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baqhapdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciepkajj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabaec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cofaog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmqigba.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cobhdhha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckiiiine.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqjla32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chofhm32.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll"	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll"	Bgdfjfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll"	Cabaec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chmibmlo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll"	Chmibmlo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhjkfi.dll"	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqjla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkknia32.dll"	Ceqjla32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfmqigba.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cobhdhha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll"	Cobhdhha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll"	Ciepkajj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodgb32.dll"	Chofhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baqhapdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baqhapdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgdfjfmi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciepkajj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqlidcln.dll"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckiiiine.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll"	Cofaog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll"	Bjfpdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll"	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfmqigba.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabaec32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjfpdf32.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 2892	1464	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe	30
PID 1464 wrote to memory of 2892	1464	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe	30
PID 1464 wrote to memory of 2892	1464	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe	30
PID 1464 wrote to memory of 2892	1464	c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe	30
PID 2892 wrote to memory of 2960	2892	Bjfpdf32.exe	31
PID 2892 wrote to memory of 2960	2892	Bjfpdf32.exe	31
PID 2892 wrote to memory of 2960	2892	Bjfpdf32.exe	31
PID 2892 wrote to memory of 2960	2892	Bjfpdf32.exe	31
PID 2960 wrote to memory of 2832	2960	Baqhapdj.exe	32
PID 2960 wrote to memory of 2832	2960	Baqhapdj.exe	32
PID 2960 wrote to memory of 2832	2960	Baqhapdj.exe	32
PID 2960 wrote to memory of 2832	2960	Baqhapdj.exe	32
PID 2832 wrote to memory of 2896	2832	Bfmqigba.exe	33
PID 2832 wrote to memory of 2896	2832	Bfmqigba.exe	33
PID 2832 wrote to memory of 2896	2832	Bfmqigba.exe	33
PID 2832 wrote to memory of 2896	2832	Bfmqigba.exe	33
PID 2896 wrote to memory of 2796	2896	Bgdfjfmi.exe	34
PID 2896 wrote to memory of 2796	2896	Bgdfjfmi.exe	34
PID 2896 wrote to memory of 2796	2896	Bgdfjfmi.exe	34
PID 2896 wrote to memory of 2796	2896	Bgdfjfmi.exe	34
PID 2796 wrote to memory of 2768	2796	Ciepkajj.exe	35
PID 2796 wrote to memory of 2768	2796	Ciepkajj.exe	35
PID 2796 wrote to memory of 2768	2796	Ciepkajj.exe	35
PID 2796 wrote to memory of 2768	2796	Ciepkajj.exe	35
PID 2768 wrote to memory of 1668	2768	Cobhdhha.exe	36
PID 2768 wrote to memory of 1668	2768	Cobhdhha.exe	36
PID 2768 wrote to memory of 1668	2768	Cobhdhha.exe	36
PID 2768 wrote to memory of 1668	2768	Cobhdhha.exe	36
PID 1668 wrote to memory of 1700	1668	Ckiiiine.exe	37
PID 1668 wrote to memory of 1700	1668	Ckiiiine.exe	37
PID 1668 wrote to memory of 1700	1668	Ckiiiine.exe	37
PID 1668 wrote to memory of 1700	1668	Ckiiiine.exe	37
PID 1700 wrote to memory of 1996	1700	Cabaec32.exe	38
PID 1700 wrote to memory of 1996	1700	Cabaec32.exe	38
PID 1700 wrote to memory of 1996	1700	Cabaec32.exe	38
PID 1700 wrote to memory of 1996	1700	Cabaec32.exe	38
PID 1996 wrote to memory of 1332	1996	Chmibmlo.exe	39
PID 1996 wrote to memory of 1332	1996	Chmibmlo.exe	39
PID 1996 wrote to memory of 1332	1996	Chmibmlo.exe	39
PID 1996 wrote to memory of 1332	1996	Chmibmlo.exe	39
PID 1332 wrote to memory of 2420	1332	Cofaog32.exe	40
PID 1332 wrote to memory of 2420	1332	Cofaog32.exe	40
PID 1332 wrote to memory of 2420	1332	Cofaog32.exe	40
PID 1332 wrote to memory of 2420	1332	Cofaog32.exe	40
PID 2420 wrote to memory of 3056	2420	Ceqjla32.exe	41
PID 2420 wrote to memory of 3056	2420	Ceqjla32.exe	41
PID 2420 wrote to memory of 3056	2420	Ceqjla32.exe	41
PID 2420 wrote to memory of 3056	2420	Ceqjla32.exe	41
PID 3056 wrote to memory of 1960	3056	Chofhm32.exe	42
PID 3056 wrote to memory of 1960	3056	Chofhm32.exe	42
PID 3056 wrote to memory of 1960	3056	Chofhm32.exe	42
PID 3056 wrote to memory of 1960	3056	Chofhm32.exe	42

C:\Users\Admin\AppData\Local\Temp\c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe
"C:\Users\Admin\AppData\Local\Temp\c52e398f04b78858ab08135ce944540ec20e98ba69644c0c0f0725059faaab3cN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Windows\SysWOW64\Bjfpdf32.exe
  C:\Windows\system32\Bjfpdf32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\Baqhapdj.exe
    C:\Windows\system32\Baqhapdj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\Windows\SysWOW64\Bfmqigba.exe
      C:\Windows\system32\Bfmqigba.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\Bgdfjfmi.exe
        
        C:\Windows\system32\Bgdfjfmi.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\Ciepkajj.exe
        
        C:\Windows\system32\Ciepkajj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\Cobhdhha.exe
        
        C:\Windows\system32\Cobhdhha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\SysWOW64\Ckiiiine.exe
        
        C:\Windows\system32\Ckiiiine.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\Cabaec32.exe
        
        C:\Windows\system32\Cabaec32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Chmibmlo.exe
        
        C:\Windows\system32\Chmibmlo.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\SysWOW64\Cofaog32.exe
        
        C:\Windows\system32\Cofaog32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Ceqjla32.exe
        
        C:\Windows\system32\Ceqjla32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\SysWOW64\Chofhm32.exe
        
        C:\Windows\system32\Chofhm32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\Coindgbi.exe
        
        C:\Windows\system32\Coindgbi.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baqhapdj.exe

Filesize
464KB

MD5
abdd29de7cce0020b24f3730aca8067b

SHA1
9ee8b7418ef6dac0db86edd774d8059584bcf14c

SHA256
c6ff8882164560b0ef35972ad09d72363e57f6a148e6a9c279d64541e2bbf58c

SHA512
e58a8287e2cc79eff64bfe0c87c4890f22dd8bec101279978cd0bf5a0ab77378490e6e680289b165861cc080843940860afb544bbb93295f6412ecbf906c8663

Download Submit
C:\Windows\SysWOW64\Cabaec32.exe

Filesize
464KB

MD5
7388c2cddc402f56b7ddd9ecd234cb75

SHA1
c48ebbc68c06a17834a3de2f15bfd5dad2176128

SHA256
bcd3790948796687d0ea366a3ff5d730ad5d253dbba5b28db6e3ddc911bfc7b6

SHA512
71d581937a6ff8cc2840f37db066184b573d6b4652b7626fa95f3fca9fe4515fabea6c8ea4d0f224334abdd758cd18203b83fcdb43a40d40bd134b546f57288e

Download Submit
C:\Windows\SysWOW64\Ceqjla32.exe

Filesize
464KB

MD5
b53c7652e5496690764d8ab6b4d8b391

SHA1
be0fd9a833b627ff8a72e0bcf0440e9174d68d00

SHA256
e106e3b12a27e35886898a18f214c8033138ecacd6544b5ac0b638e63dadb5c0

SHA512
cdec7d7ee18794dcc822de9cba29fd4fbeb1ac2364646e9607b571eb5b4fa450c45ab815a8d871f8d3b4b2c652ce328ed32b7776d6163a46e92643c1c928bf22

Download Submit
C:\Windows\SysWOW64\Chmibmlo.exe

Filesize
464KB

MD5
b7c4a1c03b7df86bbe5847d01886dcc3

SHA1
887f1cec61e200308c0be49e05a5c957e0ae18d6

SHA256
782da81c88186247e5b9d273f1f553990409ed47ff0e50241869951d6d3c2795

SHA512
c3f685c271db14c002a3b323c108cae098b9d28d034205b11401bc500f42f49ac72158e3d7f7a3a89f7c348b3834305b4a959cb44bc292f8eaff11adc3313e29

Download Submit
C:\Windows\SysWOW64\Chofhm32.exe

Filesize
464KB

MD5
9a11dca4e72e17d1b3fe576fbebe67a7

SHA1
03a5386ed7e9e0ab957bdd774d26c294f65f382c

SHA256
5774311684447916e165ced555474aa87458590bb09283e58f587aa70a09364c

SHA512
4b9bc60b23d6c47a89dcf7ee1f0197027c815627f4276a670a9c05eafcd2335a686522494bd0a2578d39db1bb99b54a8a8586f29435fd6c0a4b391d20d76f597

Download Submit
C:\Windows\SysWOW64\Ckiiiine.exe

Filesize
464KB

MD5
e019f6c55ba0f18a3ef0bbe4e1ff1843

SHA1
18b748d2a4de262b434e7180514ac6e733f24b81

SHA256
9a793573d14b1ad7f7ce134b48b8b81b6b9d06641fe5da956b94943c5d41d932

SHA512
3711c586511295819dcc397f538c830a811661a23ef579856b2f2256308ce7cea4ccd9c20d0787b45b5bd4644651bcbf4e349e30286e8aa7108bcf729004ae58

Download Submit
C:\Windows\SysWOW64\Cobhdhha.exe

Filesize
464KB

MD5
41a32c861df526ba82d3bb6c81a4f300

SHA1
30ed73c084bd4d7dc6ff1c34f98cae1748332ca9

SHA256
d9c9e04898c039a3ea88d37d2ee2e4fcbef8e68941573349c833e36e480f75f7

SHA512
3e07d7767786abeff2fc31523cc31481710435b043832a93434dcbffc9d84ae0301c5eb6f98009400da235e667049d109f4f8b953d63d0af6ae857eff7c3f78d

Download Submit
C:\Windows\SysWOW64\Cofaog32.exe

Filesize
464KB

MD5
d4569ff4bab06ab2f0b819b1589bba1c

SHA1
05f7e3a097a8ae3c70da8c7699405b37049dddc2

SHA256
b16099826df4c9bc4a7e3be39e88c7fe5d13b9be51a3dbdeeaac1299574660d4

SHA512
48db895564a822fff3c5fe1b498c6d71d67bb47544b2faa03360c0f6976071552db2133bb1991fabca595f7d8667a580dc5e8725814f2a1fedb732e12de2d55f

Download Submit
C:\Windows\SysWOW64\Coindgbi.exe

Filesize
464KB

MD5
78ab2274a1d92fc57be127ffedf4f42e

SHA1
801dc1d9fc8892ca5c1e6b104e2a9fdc1d633aef

SHA256
8f99d991954e04759313baf064d36ce3bd7a7d5f76b4cff63627d5d1d23f5a2f

SHA512
e1c3973fec47f31de13993f2ac573555e83ae86e28f6a8abfda8e5a140cf841674ae508e96b6575b28e9401a61215b5008ef13529d90caddd9d34db423e745ce

Download Submit
C:\Windows\SysWOW64\Iibogmjf.dll

Filesize
7KB

MD5
bfd3101ae589adbb626702cdcf78f160

SHA1
1f67e9e180a7be1675326749314f8db538912036

SHA256
8967efcfbc62123469287ba63fd3bcb95605076870c3fd35ca2bd2e9ea557914

SHA512
efcf2390e59b018cb3a3e81f33016f1a28f6cdffccfc0d4f296cb5dcf0a67eba7da513add0fc2db786025c124bae0d6b36768218a136059cad5d4c34a7765ca0

Download Submit
\Windows\SysWOW64\Bfmqigba.exe

Filesize
464KB

MD5
22ff3569b0493261d9c5b53d168cb51a

SHA1
06fff0e19342bbd46b1d54c599f1c201958047f1

SHA256
387e092ae8fdb5dbe958dc70e62de494f7d78014871af52bd53610af21369452

SHA512
42b23b4b1d679bef694ec4eac74bcf0bcf7b45e14ea4f37d008d620897dc38ce73b1395d5734828f41644b52bdac0797126fac0a451d70356a9682aa263765fd

Download Submit
\Windows\SysWOW64\Bgdfjfmi.exe

Filesize
464KB

MD5
a09b321239331a4c9a89cc991721f2a0

SHA1
15b126a5869de8afeddb4235b701fe29a4266fe3

SHA256
5fd099fb0976373b1bf4d9d3190dbce0ebab8df4a895d238de32c20eb65ac80e

SHA512
1e42c3a5647de62bb50fefe6bfa7f81274a5fc4c4852ea3308dc5c1327345b8ea9fbfb510dc67eee71330673d60916f170f7b30a27095fdb1d10daf964a5d53d

Download Submit
\Windows\SysWOW64\Bjfpdf32.exe

Filesize
464KB

MD5
796b656be03ccfd54981b0ccdca85143

SHA1
9b1526ec20f3017b7a40ff77ceb0b74f27b5bb9f

SHA256
0133715144fcb9da3feca62a58f4b4e872e6977e53155749bee3dd063968ca3c

SHA512
1713bdfb75a1a7ede8396e2d587b47788318ad0c0bdb2d11eeb5c1f3370b4bb2b1de1f4ce142e1eb593d57e4ae574002e386fe303c3fcff9e889c9071e6494b3

Download Submit
\Windows\SysWOW64\Ciepkajj.exe

Filesize
464KB

MD5
d83c19b78eb088ccf5b0a71dde0548cd

SHA1
231eadf0b67de1ab9582bfce88694547d9b7494e

SHA256
68f87c768eb2739abc46a5d97d42a13ca502b104a7c9c760ea4136897395563e

SHA512
09ddbe6e08d89f3add695c4a2682df3c2845f033281794a1c50eeb8a32ca7030149722361d4be8295269d6df8e5f18be2886f98d2e66879e8dabe544a924b4bd

Download Submit
memory/1332-175-0x0000000002090000-0x000000000212D000-memory.dmp

Filesize
628KB

Download
memory/1332-174-0x0000000002090000-0x000000000212D000-memory.dmp

Filesize
628KB

Download
memory/1332-173-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1332-244-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1464-18-0x0000000000340000-0x00000000003DD000-memory.dmp

Filesize
628KB

Download
memory/1464-17-0x0000000000340000-0x00000000003DD000-memory.dmp

Filesize
628KB

Download
memory/1464-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1464-214-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1668-165-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1668-166-0x0000000002100000-0x000000000219D000-memory.dmp

Filesize
628KB

Download
memory/1668-167-0x0000000002100000-0x000000000219D000-memory.dmp

Filesize
628KB

Download
memory/1668-238-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1700-168-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1700-169-0x00000000002D0000-0x000000000036D000-memory.dmp

Filesize
628KB

Download
memory/1700-240-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1960-180-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1960-254-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1996-170-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/1996-171-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/1996-172-0x00000000004A0000-0x000000000053D000-memory.dmp

Filesize
628KB

Download
memory/1996-242-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2420-177-0x0000000000340000-0x00000000003DD000-memory.dmp

Filesize
628KB

Download
memory/2420-176-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2420-246-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2768-235-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2768-236-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2796-234-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2796-164-0x0000000002070000-0x000000000210D000-memory.dmp

Filesize
628KB

Download
memory/2796-181-0x0000000002070000-0x000000000210D000-memory.dmp

Filesize
628KB

Download
memory/2796-163-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2832-220-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2832-41-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2892-216-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2892-19-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2896-232-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2896-54-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2960-218-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2960-35-0x0000000000360000-0x00000000003FD000-memory.dmp

Filesize
628KB

Download
memory/2960-27-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/3056-179-0x00000000002C0000-0x000000000035D000-memory.dmp

Filesize
628KB

Download
memory/3056-178-0x00000000002C0000-0x000000000035D000-memory.dmp

Filesize
628KB

Download
memory/3056-248-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads