e52091da8a2829bd1f0bfe6082f2e78dc5659a0d4befb130d1eb4768aad8fced

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 06:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

734b862972bd67fadf14952cd3d9be60N.exe
Size

207KB
MD5

734b862972bd67fadf14952cd3d9be60
SHA1

95daed039e89f6df54dc546ab21cef7ea4e0340c
SHA256

e52091da8a2829bd1f0bfe6082f2e78dc5659a0d4befb130d1eb4768aad8fced
SHA512

7a50bb04a8244f04dd1cf1d5b65e3b314b04d4b8aae771af4038754760d88555d56322206ae73a867c3c250f11f3f6280533215e7689429f84478c42219d8de7
SSDEEP

3072:ctl+4X92Lry/Yklk4tsFqlVjoSdoxx4KcWmjRrzyAyAtWgoJSWYVo2ASOvojoS:ctlH92LupUAlVjj+VPj92d62ASOwj

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	734b862972bd67fadf14952cd3d9be60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	734b862972bd67fadf14952cd3d9be60N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe

Executes dropped EXE 27 IoCs

pid	Process
1672	Bcoenmao.exe
4468	Cfmajipb.exe
3936	Cenahpha.exe
2840	Chmndlge.exe
4472	Cmiflbel.exe
436	Cfbkeh32.exe
4172	Cjmgfgdf.exe
1368	Ceckcp32.exe
2084	Cjpckf32.exe
4104	Ceehho32.exe
2304	Chcddk32.exe
4860	Cnnlaehj.exe
3348	Calhnpgn.exe
1400	Ddjejl32.exe
2096	Dopigd32.exe
3468	Danecp32.exe
4940	Ddmaok32.exe
864	Dobfld32.exe
3996	Delnin32.exe
3296	Dhkjej32.exe
2152	Dmgbnq32.exe
3552	Deokon32.exe
4896	Dfpgffpm.exe
3232	Dogogcpo.exe
3628	Deagdn32.exe
4528	Dknpmdfc.exe
4972	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	734b862972bd67fadf14952cd3d9be60N.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	734b862972bd67fadf14952cd3d9be60N.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4388	4972	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	734b862972bd67fadf14952cd3d9be60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	734b862972bd67fadf14952cd3d9be60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	734b862972bd67fadf14952cd3d9be60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	734b862972bd67fadf14952cd3d9be60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	734b862972bd67fadf14952cd3d9be60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 1672	3696	734b862972bd67fadf14952cd3d9be60N.exe	84
PID 3696 wrote to memory of 1672	3696	734b862972bd67fadf14952cd3d9be60N.exe	84
PID 3696 wrote to memory of 1672	3696	734b862972bd67fadf14952cd3d9be60N.exe	84
PID 1672 wrote to memory of 4468	1672	Bcoenmao.exe	85
PID 1672 wrote to memory of 4468	1672	Bcoenmao.exe	85
PID 1672 wrote to memory of 4468	1672	Bcoenmao.exe	85
PID 4468 wrote to memory of 3936	4468	Cfmajipb.exe	86
PID 4468 wrote to memory of 3936	4468	Cfmajipb.exe	86
PID 4468 wrote to memory of 3936	4468	Cfmajipb.exe	86
PID 3936 wrote to memory of 2840	3936	Cenahpha.exe	87
PID 3936 wrote to memory of 2840	3936	Cenahpha.exe	87
PID 3936 wrote to memory of 2840	3936	Cenahpha.exe	87
PID 2840 wrote to memory of 4472	2840	Chmndlge.exe	88
PID 2840 wrote to memory of 4472	2840	Chmndlge.exe	88
PID 2840 wrote to memory of 4472	2840	Chmndlge.exe	88
PID 4472 wrote to memory of 436	4472	Cmiflbel.exe	89
PID 4472 wrote to memory of 436	4472	Cmiflbel.exe	89
PID 4472 wrote to memory of 436	4472	Cmiflbel.exe	89
PID 436 wrote to memory of 4172	436	Cfbkeh32.exe	91
PID 436 wrote to memory of 4172	436	Cfbkeh32.exe	91
PID 436 wrote to memory of 4172	436	Cfbkeh32.exe	91
PID 4172 wrote to memory of 1368	4172	Cjmgfgdf.exe	92
PID 4172 wrote to memory of 1368	4172	Cjmgfgdf.exe	92
PID 4172 wrote to memory of 1368	4172	Cjmgfgdf.exe	92
PID 1368 wrote to memory of 2084	1368	Ceckcp32.exe	93
PID 1368 wrote to memory of 2084	1368	Ceckcp32.exe	93
PID 1368 wrote to memory of 2084	1368	Ceckcp32.exe	93
PID 2084 wrote to memory of 4104	2084	Cjpckf32.exe	95
PID 2084 wrote to memory of 4104	2084	Cjpckf32.exe	95
PID 2084 wrote to memory of 4104	2084	Cjpckf32.exe	95
PID 4104 wrote to memory of 2304	4104	Ceehho32.exe	96
PID 4104 wrote to memory of 2304	4104	Ceehho32.exe	96
PID 4104 wrote to memory of 2304	4104	Ceehho32.exe	96
PID 2304 wrote to memory of 4860	2304	Chcddk32.exe	97
PID 2304 wrote to memory of 4860	2304	Chcddk32.exe	97
PID 2304 wrote to memory of 4860	2304	Chcddk32.exe	97
PID 4860 wrote to memory of 3348	4860	Cnnlaehj.exe	98
PID 4860 wrote to memory of 3348	4860	Cnnlaehj.exe	98
PID 4860 wrote to memory of 3348	4860	Cnnlaehj.exe	98
PID 3348 wrote to memory of 1400	3348	Calhnpgn.exe	99
PID 3348 wrote to memory of 1400	3348	Calhnpgn.exe	99
PID 3348 wrote to memory of 1400	3348	Calhnpgn.exe	99
PID 1400 wrote to memory of 2096	1400	Ddjejl32.exe	100
PID 1400 wrote to memory of 2096	1400	Ddjejl32.exe	100
PID 1400 wrote to memory of 2096	1400	Ddjejl32.exe	100
PID 2096 wrote to memory of 3468	2096	Dopigd32.exe	102
PID 2096 wrote to memory of 3468	2096	Dopigd32.exe	102
PID 2096 wrote to memory of 3468	2096	Dopigd32.exe	102
PID 3468 wrote to memory of 4940	3468	Danecp32.exe	103
PID 3468 wrote to memory of 4940	3468	Danecp32.exe	103
PID 3468 wrote to memory of 4940	3468	Danecp32.exe	103
PID 4940 wrote to memory of 864	4940	Ddmaok32.exe	104
PID 4940 wrote to memory of 864	4940	Ddmaok32.exe	104
PID 4940 wrote to memory of 864	4940	Ddmaok32.exe	104
PID 864 wrote to memory of 3996	864	Dobfld32.exe	105
PID 864 wrote to memory of 3996	864	Dobfld32.exe	105
PID 864 wrote to memory of 3996	864	Dobfld32.exe	105
PID 3996 wrote to memory of 3296	3996	Delnin32.exe	106
PID 3996 wrote to memory of 3296	3996	Delnin32.exe	106
PID 3996 wrote to memory of 3296	3996	Delnin32.exe	106
PID 3296 wrote to memory of 2152	3296	Dhkjej32.exe	107
PID 3296 wrote to memory of 2152	3296	Dhkjej32.exe	107
PID 3296 wrote to memory of 2152	3296	Dhkjej32.exe	107
PID 2152 wrote to memory of 3552	2152	Dmgbnq32.exe	108

C:\Users\Admin\AppData\Local\Temp\734b862972bd67fadf14952cd3d9be60N.exe
"C:\Users\Admin\AppData\Local\Temp\734b862972bd67fadf14952cd3d9be60N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Windows\SysWOW64\Bcoenmao.exe
  C:\Windows\system32\Bcoenmao.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\SysWOW64\Cfmajipb.exe
    C:\Windows\system32\Cfmajipb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\SysWOW64\Cenahpha.exe
      C:\Windows\system32\Cenahpha.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3936
    - - C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4860
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3348
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2096
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3296
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4528
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 416
        29⤵
        Program crash
        
        PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 4972
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bbloam32.dll

Filesize
7KB

MD5
9f6fd0d46979ecca5bf4791134d3ae92

SHA1
4f5b0bfcc280d8a6bbcdd7e337e57072f1c27134

SHA256
744ae26d57bcb880111586150dcde2cb3d1501927ab7c68c40403234a594b899

SHA512
4f2435b60042cc88496a4743d7ddbf5d87fe469bb8a442161f446e21bc14688468ac4618c5205884f721f0f8e1091bad80335bec787d40457078bb920b128643

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
207KB

MD5
434fad2d37c553c02db32583f60e9a3b

SHA1
296a8a008e28c926331283c2ba9c56a1a58a7d8a

SHA256
43e35b1604beee1659ec1d8354ff78bf6213feea276ec3ff663409ee50d5ec63

SHA512
634ac3353951d8194d3431643786143275a8041fd7b6538ea3abb20de4f99862de620a447acab87743c166368ad3d42338b77e5e2e89cfa55a4cf1642c39c47e

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
207KB

MD5
e3218d3efbaf7edfba7371199bc3c485

SHA1
063169dd0741410f3bdc2e6b14a0b2c9cc7a3a4e

SHA256
1605743d1e87e475a0945cf9ac919a0cee6324048527aea4974d587392716d52

SHA512
e4b2c69f23c5d49fd52cfeb30c5fed8acfd93bc1fb6782c912cb5cfd3768e3203cc9e720b2dda5d65371e55f0b5c9e713789e62eece9fb6a34abe763540670b5

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
207KB

MD5
a53c0ac2d92ca2ff46d5335d4654e0bc

SHA1
4dd0700b3b997097f9cd15acf017dd7bbf5cfc9b

SHA256
1deab5c239d405ff333f50f60e3b20060445bfad453863c4a8557a6ce7a242e8

SHA512
53e9de35366c1c4f2e12eb67e2289bbf78d36a45b6785ed05f9685b9949f2920d00435b7cde9092074cc217fda0338e9b116dc81dbe56a049c8279468a671e8e

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
207KB

MD5
32eb3b1db106bfc8ced59aebef080ce8

SHA1
cd5f059740c85124769bca2cd0d98d591f18cfa6

SHA256
433b090bd3e29c0112d7bbcb9275ab9da56ee9b29510d15b0cd660f7bde081d9

SHA512
758ed8369403d72b9e7f02b18099b379fb164573643d46710218927af349a667168ea127b479dab243afc89752b20b2e474f41f7cd2a4e3e24b827836c17e80f

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
207KB

MD5
fbd4f3aa243f3c47fb2394f655df1cbe

SHA1
6aff04fa89adc823abd748da9fdf6634f52863d1

SHA256
a325e31a48a705c43b51419f903aa9210ed50db0b57589e93f02a0a00a8edb94

SHA512
8db8c4474fef19a27b448ae98e9d926f3125a5ad9f28d54b9854ba4fda3a320d53277d76bfb276e67c8fc74575dc009ede1a7b31d56ddb96f8e3fd669f6fe7cf

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
207KB

MD5
7be8e31ad961070f912907815974f11a

SHA1
ff8b373fd0df4d0de9fcfc63cacc065cbffe57ba

SHA256
fc8a03cfb9b001a35c1252d66ef3166edc9686179cd1845ff2e36d8be8ed81a5

SHA512
6ae14f897b0b315e54deba4335f4dc41c7fe25c4aaa0984074d74a6ea524c61e092a70be3f1b9572ebd1404ba584d1692be3c77a72be1d6a4e758f7213f90b8d

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
207KB

MD5
904c41d75ad1436bd1bb31d35c30ab25

SHA1
b9a74f2a62ad2339eb648605c3219883e3ff5f8c

SHA256
9a96891b76400cdff30d72e09791147b405c73710f57c6440a84aebb2bfd7ceb

SHA512
d3081e65289b5e954784f55658c596e141a2c9ecce3eb4e8007e2cd9445d75fa6ed3ac8186cc2edb3b258d57684852319d2bba837ae8310aaf026cc376c97b3b

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
207KB

MD5
63149304f9be5fae835f5ff2d4c77178

SHA1
8f2dcb57b5ba3e696bac3bcdee803690eea82e99

SHA256
48ccf8492639daf7fd1da72d86ac0c9351bdcf0f687d60734ee740a132e22228

SHA512
5f446c296c75f7d6799d5672b182e58e1343055bf56ce179a7e9d9fb3f5ad093217da9e232172d1cebb7c8135b920c2365235f0f6ea4193f428ee935c629a3cb

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
207KB

MD5
0eac3db81e466706daa54b8a139d519c

SHA1
8527755bed2f8412168031a7ce1c9bb837de7ddc

SHA256
eb362da8f4b83fbedfccdb1f3cbcc2978d0d23fe164c7e71bf46f3a57576518c

SHA512
34a2df7bb27c9de0bdf195d483a6850b771ac9867d2b370982f9692ff381c7065f94b5dbeeed3384203a4ea96b682f6844e77962ff2307ffcb05d67abba00df2

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
207KB

MD5
518fad16dbe22bf636af711a50a91318

SHA1
aca7504094d476a9cb98277990d7a4a3c1858279

SHA256
4b26ef42f1a2a0f1fd432d74459c38aa99508746641c4b0fd6018947a4d11faf

SHA512
c5c4ec44a246e96137eb33d1abe7b075117bfed4b75c2594ea108adb1db7c3e1eb9e741f1c03de7ef6f8da989b8d8c0170781813c34ec5868d176356c00ed3ce

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
207KB

MD5
bce7bf4651f251743ab2cc286c029869

SHA1
669038aa0f29a87a30bfcbe63aa78dcc5c592150

SHA256
82134680d23e9180e6fc0bd50a004fbf0339ed35184ecfc390eabb0ee5fcf813

SHA512
11ad236dfeecc8dd1d381152a4830926391a511dc74326de85dffb6ea6ccfec88551fdafbf8786553a7976a53ffcc3ffef839aefc3c59a48240a392d26b87ec8

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
207KB

MD5
5883aafd5d8183350061d2c8a587f849

SHA1
9ab3ed0b6d277cd93342b9892e46ee0095a49471

SHA256
4b4f381ef34809ce647e39a8733efabaa062247dc616c5f61249e49c760ebcb5

SHA512
7ffa80e2284cb1701231ed02072e7f4beeae12fc238f70c420d03757a85c80301c2b6e0da4d720da75f76962364e3e7c9f56ac0bfb3863fe9b29c0d16f77585d

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
207KB

MD5
e671fe2fffcb2c9ca959bc32d8b36137

SHA1
2aa1c3e67c193be7a41725e1c64780ffb0d55dd2

SHA256
437117def2895909402f3311abf4c3d4d60b392dbaacf78e6ae5c933bae20d69

SHA512
7de2d8e018ee9f59be526ff5bc8971575f0b5ba73157279ea8613c19bb8a9c942591a840e8c9532bb83baa7f7769e165d0b6ad3f8dbf44264c7ae1ccb279c898

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
207KB

MD5
5b64a15bc8277fb24cd8f23451a17633

SHA1
575f269758f35873b975d2bf45028496f6a4045e

SHA256
da8cf996ebc8f6e5263caa82a544f9e999ab1a5f9dc50bb331015462a40cbd59

SHA512
58bc171dede01bb569c820182c81f23eaf5725f5da9a6083af0998d5f5e51f1450bbc179d61af32ee612f09f699b1a84d8d479d7e712f49406e51df9189e9ccb

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
207KB

MD5
b4674b29e1531cb010cdc4861f768da6

SHA1
500b6d03a3965689eb970db2293511ba990e8ea3

SHA256
d1beb60d8ef9903d0be192b30cd50533c86656f395ebbb520b3c8d415869f4c3

SHA512
e8875e4be13e283e32d12ef26e300d67f9f9fdddf86850b426588c4a9ae68d34f0efe8b21e52271bff6316a55f4c8cb9e64273ae45fff3bd929dcad2a6ebf892

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
207KB

MD5
615bc4fac6e66d5ac3097f2823bee119

SHA1
1a2f8955cfb4933db746f385dae139b8bcdfc528

SHA256
2a88be77a9fb21ad3521c78c21889df3b1db3f348c9b084a59385ecee1d51fe8

SHA512
03ee36ebc0d0be5a195cfbb80839f762413da4271b5eb2a6f2a6b13ec8aea7b13541688fca788fd6d726404710b3ee790b9b9874805b1d47b97ca6fff3b1f0b4

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
207KB

MD5
cde742f7c8b1b043f53089724a93c6e3

SHA1
502e7f6078dc1ff05d5bdd009ed6047d1539849d

SHA256
f09ab901b6c8bc32a7152bf627e531b0cb46c4be84a763fca513cdc96ce7bacb

SHA512
635c94b65002e9c7a61a26c9ba6bc27a2030fb06f01ad946d4b0373d5f1e4ba74fae43a377bfe6c32c5e9e078ab500b6a6e16f1d6497f0297e676425bf579005

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
207KB

MD5
3c54715d3f368bde892fc3897d6ca716

SHA1
8667382cbd66a2ecb453a6dddd8ab22c5cd1e90a

SHA256
26183d4108dffec871b0403dbf6b62cce7baa2c2406f272a2898fb6cc0d8a586

SHA512
98a458adf740d88bfea95b360300666fbfb748c10108fc24311cfb168b662445dda07c0a4d54ced81a78a894edc2971a5f65e535f4ae9155935902bf6e7d5e7c

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
207KB

MD5
5769cbe3d152965c5f56cc6ebbeae15c

SHA1
f328a2bce3a733e34065b0f052106b8f347f6410

SHA256
16884a7c2286a06b6eb6ab00bec13d149454586447e43692092ce0af949f8178

SHA512
0aa6f978140e017ac33ff9ed66139a78b8835a3915a867b10b0937c2d234707c16c449759f31e1f39beedbb70188e9eeaca336b65fa22529656a0786531a9276

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
207KB

MD5
5fe1f7a3ec9598e701750e26570211e7

SHA1
b463ab9249ceab47e4c3fc1ced940552c61ad500

SHA256
bffdce6bfcf3a7b74ac5364773881ce0cb250994f2b83792170c3515730466ca

SHA512
0c331325be7dc86ec9c47c16749ea7f3bcc29830973b05d4ddaa7d25b73e0aa944ecddbc834bf142762848bbc2dca298c4d715b1438692c228db4d4225d925d5

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
207KB

MD5
f78bb8314d235ee58cb5fcbc2d565a95

SHA1
deec6a065006b24431e16419290e7bfbaebf0299

SHA256
3e733ec5578fa9c37768bc3f5a70ece409f87c350f8f7509a2d37b5f058087f5

SHA512
d834d8ad4fe8fcd44c46837fc0e7a8a79ac09d64bfe4a04382aace39ed2ddd3ffb55e631949967fa99434a3ed306628dc8c7741fb942fef316a82321690ab98f

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
207KB

MD5
3f91d5f19aa2dc44e230fd59c0135c8f

SHA1
63438ddbeacd873211115518585316a73653e431

SHA256
5bd9736d71f142dfa549a6f0c7161bb3d268d15a608afaf13ac26ccc01197d4a

SHA512
39e63924be61f975f640e4e4c111f5c36621dd4c9796a5affa9f54b68606adde546b59f62548202413cdfe560e79e59edf1a2bdb2192722acad03b652a7a805e

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
207KB

MD5
2933b0b3d282f22a3f7dbee1463d2350

SHA1
c3ff4a737d5f578cb2036f8b67a04395c22720dd

SHA256
0244aac6039d9b97ee05c6ec59e93bee9c4210e98380821d4b4462f0e91c1d4b

SHA512
ea6dfb773b39d0f4e9f4b7f779f7d469db041422c6b197d52cf4cfd7e9793c5c5500bd7dfbf46b762859f56d6fa237fa010354c191eee9b08de5b7cd6617f1e2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
207KB

MD5
547f0844fe25791bc6524626ad623775

SHA1
2b00da2f4ca63ff28eb16ebc6668e62e91b3aee7

SHA256
abd114db20f3d6bf6d5ffa182599c9fd7d1c1fa4008e7f6c237bb4e3563d3ffd

SHA512
79abf80a975c9845999b0aea22d30fa294942d66780b7c75b58674e7441f3549fdc15ae2034edc52677f706ca9df20bc1806dca862e24a363c8b8b00942140ab

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
207KB

MD5
8af5a9a45b16c5596c11f4050b009ce0

SHA1
254d661afcca7234b99248ca22738e7f113b57e7

SHA256
50754f062326e877d97bba9cd84cb5cc419b6ced1c26968e4dc47ffc781091ae

SHA512
a1329f802c2d5cc0d59354f5b022311b400303cb29d3ef426335fd907c23282b98b6b8a17b1634905de4738f0480cf684454d35e3cec0d41002e1b9b5c62eae9

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
207KB

MD5
f5569540fc625ac26be00df2c21e7713

SHA1
d873ab760977ba7a7f245aba44c71e35080ab9d8

SHA256
d8540fb831174f41a4b061c24502d936c08a12e189aae6207c80a9b8cac90839

SHA512
b1d4b5b0ae4425819d653b5a2862127d03eb7ed9960e9eb3dd48fa56e86ffa03336bbf4a473487963b7736c9e2e2f51a05088d06c553c2d1ab9cfdeadf8e3ff1

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
207KB

MD5
4677eb70c0d85e547a16e767f954110c

SHA1
22e165cda9a6352e520d48260a041a891338e689

SHA256
5cd3b11f5ae2b6182895c9664752499d2ee92576b6b9d902ff64a826caa0c65a

SHA512
26a244222597772e225c22c694903956ed27e930b3b1239a69a24bab35645239b297d2c76128c488ae1318e9fecf959c64fe058c9cd4afe46bfe97d15e0ccbbc

Download Submit
memory/436-249-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/436-47-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/436-251-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/864-230-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/864-144-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1368-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1368-262-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1400-265-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1400-112-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1672-241-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1672-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-72-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2084-235-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2096-120-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2096-264-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2152-168-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2152-234-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-263-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2304-88-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-247-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-31-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2840-244-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3232-228-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3296-233-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3296-160-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3296-225-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3348-104-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3348-266-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3468-128-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3468-270-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3552-232-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3628-220-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3628-197-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3696-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3696-239-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-242-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-245-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3936-28-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3996-229-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3996-156-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4104-80-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4104-268-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4172-252-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4172-250-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4172-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4468-243-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4468-16-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4472-248-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4472-39-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4528-206-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4528-218-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4860-100-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4860-267-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4896-237-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4896-187-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-136-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4940-269-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4972-213-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4972-217-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads