4212e4254f6c851b20de66b7d6424269b817e21c8daf153a432ea7a079a73216

Analysis

max time kernel
34s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40fa4c2911372a98486a324183396990N.exe
Size

92KB
MD5

40fa4c2911372a98486a324183396990
SHA1

4dee2d0749e512c036770e57cb2447d644bb12fb
SHA256

4212e4254f6c851b20de66b7d6424269b817e21c8daf153a432ea7a079a73216
SHA512

a1247ddec8edce8d672fd6097c9858a5ec2060fb4826e5584d329d41e8660cb09871effbca08679904c482e76e38f0d975b13f0f06f89ed5c9def8526e41cf8d
SSDEEP

1536:oH9/CplO5GvyT279Rdg/nwC186E1wLDjXq+66DFUABABOVLefE3:k9gM749Rdg/n318SLDj6+JB8M3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfdqpdja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hngppgae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eoanij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dnbbjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fdhigo32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glongpao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gheola32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hdolga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hkidclbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hjpnjheg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbkaee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgokcja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ginefe32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkcedgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eoanij32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Eabgjeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fomndhng.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gheola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkcedgp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbiap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fijolbfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gohqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbihpbpl.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgokcja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Glhhgahg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hdolga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	40fa4c2911372a98486a324183396990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckamihfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbiap32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfdqpdja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dnbbjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Eabgjeef.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Feppqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gohqhl32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	40fa4c2911372a98486a324183396990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fijolbfh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fdhigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhqdgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glhhgahg.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hkidclbb.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhqdgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Fomndhng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Hjpnjheg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dbkaee32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbihpbpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Feppqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Glongpao.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Hngppgae.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Gcocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Gcocnk32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckamihfm.exe

Executes dropped EXE 26 IoCs

pid	Process
1276	Bhqdgm32.exe
1936	Cbihpbpl.exe
3060	Ckamihfm.exe
2756	Cmbiap32.exe
2704	Cjkcedgp.exe
2892	Dfdqpdja.exe
2528	Dbkaee32.exe
2992	Dnbbjf32.exe
2864	Dmgokcja.exe
1548	Eoanij32.exe
852	Eabgjeef.exe
1072	Fijolbfh.exe
1508	Feppqc32.exe
1148	Fdhigo32.exe
2492	Fomndhng.exe
2208	Gcocnk32.exe
1700	Glhhgahg.exe
1164	Gohqhl32.exe
2352	Ginefe32.exe
236	Glongpao.exe
812	Gheola32.exe
972	Hdolga32.exe
2440	Hkidclbb.exe
2040	Hngppgae.exe
1708	Hjpnjheg.exe
2476	Iqmcmaja.exe

Loads dropped DLL 56 IoCs

pid	Process
2444	40fa4c2911372a98486a324183396990N.exe
2444	40fa4c2911372a98486a324183396990N.exe
1276	Bhqdgm32.exe
1276	Bhqdgm32.exe
1936	Cbihpbpl.exe
1936	Cbihpbpl.exe
3060	Ckamihfm.exe
3060	Ckamihfm.exe
2756	Cmbiap32.exe
2756	Cmbiap32.exe
2704	Cjkcedgp.exe
2704	Cjkcedgp.exe
2892	Dfdqpdja.exe
2892	Dfdqpdja.exe
2528	Dbkaee32.exe
2528	Dbkaee32.exe
2992	Dnbbjf32.exe
2992	Dnbbjf32.exe
2864	Dmgokcja.exe
2864	Dmgokcja.exe
1548	Eoanij32.exe
1548	Eoanij32.exe
852	Eabgjeef.exe
852	Eabgjeef.exe
1072	Fijolbfh.exe
1072	Fijolbfh.exe
1508	Feppqc32.exe
1508	Feppqc32.exe
1148	Fdhigo32.exe
1148	Fdhigo32.exe
2492	Fomndhng.exe
2492	Fomndhng.exe
2208	Gcocnk32.exe
2208	Gcocnk32.exe
1700	Glhhgahg.exe
1700	Glhhgahg.exe
1164	Gohqhl32.exe
1164	Gohqhl32.exe
2352	Ginefe32.exe
2352	Ginefe32.exe
236	Glongpao.exe
236	Glongpao.exe
812	Gheola32.exe
812	Gheola32.exe
972	Hdolga32.exe
972	Hdolga32.exe
2440	Hkidclbb.exe
2440	Hkidclbb.exe
2040	Hngppgae.exe
2040	Hngppgae.exe
1708	Hjpnjheg.exe
1708	Hjpnjheg.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Fomndhng.exe	Fdhigo32.exe
File created	C:\Windows\SysWOW64\Jkocglhl.dll	Gohqhl32.exe
File created	C:\Windows\SysWOW64\Glongpao.exe	Ginefe32.exe
File created	C:\Windows\SysWOW64\Hdolga32.exe	Gheola32.exe
File opened for modification	C:\Windows\SysWOW64\Hkidclbb.exe	Hdolga32.exe
File created	C:\Windows\SysWOW64\Ckamihfm.exe	Cbihpbpl.exe
File opened for modification	C:\Windows\SysWOW64\Cjkcedgp.exe	Cmbiap32.exe
File opened for modification	C:\Windows\SysWOW64\Fijolbfh.exe	Eabgjeef.exe
File created	C:\Windows\SysWOW64\Hibgakob.dll	Fdhigo32.exe
File created	C:\Windows\SysWOW64\Hkidclbb.exe	Hdolga32.exe
File created	C:\Windows\SysWOW64\Bhqdgm32.exe	40fa4c2911372a98486a324183396990N.exe
File created	C:\Windows\SysWOW64\Phpjbcci.dll	Bhqdgm32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgokcja.exe	Dnbbjf32.exe
File opened for modification	C:\Windows\SysWOW64\Gohqhl32.exe	Glhhgahg.exe
File created	C:\Windows\SysWOW64\Nmamgl32.dll	Glhhgahg.exe
File created	C:\Windows\SysWOW64\Ginefe32.exe	Gohqhl32.exe
File created	C:\Windows\SysWOW64\Hjpnjheg.exe	Hngppgae.exe
File created	C:\Windows\SysWOW64\Iqmcmaja.exe	Hjpnjheg.exe
File opened for modification	C:\Windows\SysWOW64\Cbihpbpl.exe	Bhqdgm32.exe
File opened for modification	C:\Windows\SysWOW64\Dfdqpdja.exe	Cjkcedgp.exe
File created	C:\Windows\SysWOW64\Fbgdlq32.dll	Fomndhng.exe
File created	C:\Windows\SysWOW64\Maonll32.dll	Hjpnjheg.exe
File created	C:\Windows\SysWOW64\Dbkaee32.exe	Dfdqpdja.exe
File created	C:\Windows\SysWOW64\Fdhigo32.exe	Feppqc32.exe
File opened for modification	C:\Windows\SysWOW64\Gcocnk32.exe	Fomndhng.exe
File created	C:\Windows\SysWOW64\Pfplmh32.dll	Hdolga32.exe
File created	C:\Windows\SysWOW64\Cbihpbpl.exe	Bhqdgm32.exe
File created	C:\Windows\SysWOW64\Cjkcedgp.exe	Cmbiap32.exe
File created	C:\Windows\SysWOW64\Ghndbeeo.dll	Cjkcedgp.exe
File created	C:\Windows\SysWOW64\Pbanhfjd.dll	Dmgokcja.exe
File opened for modification	C:\Windows\SysWOW64\Eabgjeef.exe	Eoanij32.exe
File opened for modification	C:\Windows\SysWOW64\Hjpnjheg.exe	Hngppgae.exe
File created	C:\Windows\SysWOW64\Dnbbjf32.exe	Dbkaee32.exe
File opened for modification	C:\Windows\SysWOW64\Eoanij32.exe	Dmgokcja.exe
File created	C:\Windows\SysWOW64\Okdqnp32.dll	Fijolbfh.exe
File created	C:\Windows\SysWOW64\Ddlhdm32.dll	Gcocnk32.exe
File created	C:\Windows\SysWOW64\Jnenmnck.dll	40fa4c2911372a98486a324183396990N.exe
File created	C:\Windows\SysWOW64\Qmhfaj32.dll	Cbihpbpl.exe
File opened for modification	C:\Windows\SysWOW64\Cmbiap32.exe	Ckamihfm.exe
File opened for modification	C:\Windows\SysWOW64\Feppqc32.exe	Fijolbfh.exe
File created	C:\Windows\SysWOW64\Gheola32.exe	Glongpao.exe
File created	C:\Windows\SysWOW64\Gmphdjpq.dll	Hngppgae.exe
File created	C:\Windows\SysWOW64\Obfoioei.dll	Hkidclbb.exe
File opened for modification	C:\Windows\SysWOW64\Ckamihfm.exe	Cbihpbpl.exe
File opened for modification	C:\Windows\SysWOW64\Dnbbjf32.exe	Dbkaee32.exe
File created	C:\Windows\SysWOW64\Feppqc32.exe	Fijolbfh.exe
File created	C:\Windows\SysWOW64\Lfamkl32.dll	Feppqc32.exe
File opened for modification	C:\Windows\SysWOW64\Glhhgahg.exe	Gcocnk32.exe
File created	C:\Windows\SysWOW64\Okipcb32.dll	Ginefe32.exe
File created	C:\Windows\SysWOW64\Hngppgae.exe	Hkidclbb.exe
File created	C:\Windows\SysWOW64\Cmbiap32.exe	Ckamihfm.exe
File created	C:\Windows\SysWOW64\Dfdqpdja.exe	Cjkcedgp.exe
File opened for modification	C:\Windows\SysWOW64\Fdhigo32.exe	Feppqc32.exe
File created	C:\Windows\SysWOW64\Llcppm32.dll	Gheola32.exe
File opened for modification	C:\Windows\SysWOW64\Hngppgae.exe	Hkidclbb.exe
File opened for modification	C:\Windows\SysWOW64\Iqmcmaja.exe	Hjpnjheg.exe
File created	C:\Windows\SysWOW64\Gcocnk32.exe	Fomndhng.exe
File created	C:\Windows\SysWOW64\Glhhgahg.exe	Gcocnk32.exe
File opened for modification	C:\Windows\SysWOW64\Glongpao.exe	Ginefe32.exe
File created	C:\Windows\SysWOW64\Omdkhjjg.dll	Cmbiap32.exe
File created	C:\Windows\SysWOW64\Eoanij32.exe	Dmgokcja.exe
File created	C:\Windows\SysWOW64\Kikakd32.dll	Eabgjeef.exe
File created	C:\Windows\SysWOW64\Jpneablg.dll	Glongpao.exe
File opened for modification	C:\Windows\SysWOW64\Dbkaee32.exe	Dfdqpdja.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1564	2476	WerFault.exe	53

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eabgjeef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fdhigo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gcocnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hjpnjheg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhqdgm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbiap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfdqpdja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eoanij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hdolga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40fa4c2911372a98486a324183396990N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iqmcmaja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbihpbpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fomndhng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ginefe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckamihfm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkcedgp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gohqhl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkaee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dnbbjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgokcja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glongpao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gheola32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hngppgae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fijolbfh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Feppqc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Glhhgahg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkidclbb.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgmelp.dll"	Dbkaee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fijolbfh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Feppqc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfamkl32.dll"	Feppqc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	40fa4c2911372a98486a324183396990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibgakob.dll"	Fdhigo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gohqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hdolga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikakd32.dll"	Eabgjeef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dnbbjf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hdolga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hjpnjheg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckamihfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlhdm32.dll"	Gcocnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glhhgahg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glhhgahg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gohqhl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gheola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghndbeeo.dll"	Cjkcedgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckamihfm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcppm32.dll"	Gheola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gheola32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmhfaj32.dll"	Cbihpbpl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgokcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Eoanij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fomndhng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmphdjpq.dll"	Hngppgae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbiap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmbiap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dbkaee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcojpej.dll"	Dnbbjf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll"	Fijolbfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbgdlq32.dll"	Fomndhng.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Gcocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkocglhl.dll"	Gohqhl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhejkik.dll"	Ckamihfm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Glongpao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Eabgjeef.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbihpbpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agffkn32.dll"	Eoanij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Gcocnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmamgl32.dll"	Glhhgahg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfoioei.dll"	Hkidclbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hngppgae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	40fa4c2911372a98486a324183396990N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hkidclbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfdqpdja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbihpbpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkcedgp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgokcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fijolbfh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpneablg.dll"	Glongpao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maonll32.dll"	Hjpnjheg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phpjbcci.dll"	Bhqdgm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipcb32.dll"	Ginefe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Glongpao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Hjpnjheg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	40fa4c2911372a98486a324183396990N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbanhfjd.dll"	Dmgokcja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fdhigo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Fomndhng.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Hkidclbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenmnck.dll"	40fa4c2911372a98486a324183396990N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1276	2444	40fa4c2911372a98486a324183396990N.exe	28
PID 2444 wrote to memory of 1276	2444	40fa4c2911372a98486a324183396990N.exe	28
PID 2444 wrote to memory of 1276	2444	40fa4c2911372a98486a324183396990N.exe	28
PID 2444 wrote to memory of 1276	2444	40fa4c2911372a98486a324183396990N.exe	28
PID 1276 wrote to memory of 1936	1276	Bhqdgm32.exe	29
PID 1276 wrote to memory of 1936	1276	Bhqdgm32.exe	29
PID 1276 wrote to memory of 1936	1276	Bhqdgm32.exe	29
PID 1276 wrote to memory of 1936	1276	Bhqdgm32.exe	29
PID 1936 wrote to memory of 3060	1936	Cbihpbpl.exe	30
PID 1936 wrote to memory of 3060	1936	Cbihpbpl.exe	30
PID 1936 wrote to memory of 3060	1936	Cbihpbpl.exe	30
PID 1936 wrote to memory of 3060	1936	Cbihpbpl.exe	30
PID 3060 wrote to memory of 2756	3060	Ckamihfm.exe	31
PID 3060 wrote to memory of 2756	3060	Ckamihfm.exe	31
PID 3060 wrote to memory of 2756	3060	Ckamihfm.exe	31
PID 3060 wrote to memory of 2756	3060	Ckamihfm.exe	31
PID 2756 wrote to memory of 2704	2756	Cmbiap32.exe	32
PID 2756 wrote to memory of 2704	2756	Cmbiap32.exe	32
PID 2756 wrote to memory of 2704	2756	Cmbiap32.exe	32
PID 2756 wrote to memory of 2704	2756	Cmbiap32.exe	32
PID 2704 wrote to memory of 2892	2704	Cjkcedgp.exe	33
PID 2704 wrote to memory of 2892	2704	Cjkcedgp.exe	33
PID 2704 wrote to memory of 2892	2704	Cjkcedgp.exe	33
PID 2704 wrote to memory of 2892	2704	Cjkcedgp.exe	33
PID 2892 wrote to memory of 2528	2892	Dfdqpdja.exe	34
PID 2892 wrote to memory of 2528	2892	Dfdqpdja.exe	34
PID 2892 wrote to memory of 2528	2892	Dfdqpdja.exe	34
PID 2892 wrote to memory of 2528	2892	Dfdqpdja.exe	34
PID 2528 wrote to memory of 2992	2528	Dbkaee32.exe	35
PID 2528 wrote to memory of 2992	2528	Dbkaee32.exe	35
PID 2528 wrote to memory of 2992	2528	Dbkaee32.exe	35
PID 2528 wrote to memory of 2992	2528	Dbkaee32.exe	35
PID 2992 wrote to memory of 2864	2992	Dnbbjf32.exe	36
PID 2992 wrote to memory of 2864	2992	Dnbbjf32.exe	36
PID 2992 wrote to memory of 2864	2992	Dnbbjf32.exe	36
PID 2992 wrote to memory of 2864	2992	Dnbbjf32.exe	36
PID 2864 wrote to memory of 1548	2864	Dmgokcja.exe	37
PID 2864 wrote to memory of 1548	2864	Dmgokcja.exe	37
PID 2864 wrote to memory of 1548	2864	Dmgokcja.exe	37
PID 2864 wrote to memory of 1548	2864	Dmgokcja.exe	37
PID 1548 wrote to memory of 852	1548	Eoanij32.exe	38
PID 1548 wrote to memory of 852	1548	Eoanij32.exe	38
PID 1548 wrote to memory of 852	1548	Eoanij32.exe	38
PID 1548 wrote to memory of 852	1548	Eoanij32.exe	38
PID 852 wrote to memory of 1072	852	Eabgjeef.exe	39
PID 852 wrote to memory of 1072	852	Eabgjeef.exe	39
PID 852 wrote to memory of 1072	852	Eabgjeef.exe	39
PID 852 wrote to memory of 1072	852	Eabgjeef.exe	39
PID 1072 wrote to memory of 1508	1072	Fijolbfh.exe	40
PID 1072 wrote to memory of 1508	1072	Fijolbfh.exe	40
PID 1072 wrote to memory of 1508	1072	Fijolbfh.exe	40
PID 1072 wrote to memory of 1508	1072	Fijolbfh.exe	40
PID 1508 wrote to memory of 1148	1508	Feppqc32.exe	41
PID 1508 wrote to memory of 1148	1508	Feppqc32.exe	41
PID 1508 wrote to memory of 1148	1508	Feppqc32.exe	41
PID 1508 wrote to memory of 1148	1508	Feppqc32.exe	41
PID 1148 wrote to memory of 2492	1148	Fdhigo32.exe	42
PID 1148 wrote to memory of 2492	1148	Fdhigo32.exe	42
PID 1148 wrote to memory of 2492	1148	Fdhigo32.exe	42
PID 1148 wrote to memory of 2492	1148	Fdhigo32.exe	42
PID 2492 wrote to memory of 2208	2492	Fomndhng.exe	43
PID 2492 wrote to memory of 2208	2492	Fomndhng.exe	43
PID 2492 wrote to memory of 2208	2492	Fomndhng.exe	43
PID 2492 wrote to memory of 2208	2492	Fomndhng.exe	43

C:\Users\Admin\AppData\Local\Temp\40fa4c2911372a98486a324183396990N.exe
"C:\Users\Admin\AppData\Local\Temp\40fa4c2911372a98486a324183396990N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\SysWOW64\Bhqdgm32.exe
  C:\Windows\system32\Bhqdgm32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\Cbihpbpl.exe
    C:\Windows\system32\Cbihpbpl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\Ckamihfm.exe
      C:\Windows\system32\Ckamihfm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3060
    - - C:\Windows\SysWOW64\Cmbiap32.exe
        
        C:\Windows\system32\Cmbiap32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\SysWOW64\Cjkcedgp.exe
        
        C:\Windows\system32\Cjkcedgp.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\Dfdqpdja.exe
        
        C:\Windows\system32\Dfdqpdja.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Dbkaee32.exe
        
        C:\Windows\system32\Dbkaee32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\SysWOW64\Dnbbjf32.exe
        
        C:\Windows\system32\Dnbbjf32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\SysWOW64\Dmgokcja.exe
        
        C:\Windows\system32\Dmgokcja.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Eoanij32.exe
        
        C:\Windows\system32\Eoanij32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Eabgjeef.exe
        
        C:\Windows\system32\Eabgjeef.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\SysWOW64\Fijolbfh.exe
        
        C:\Windows\system32\Fijolbfh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Feppqc32.exe
        
        C:\Windows\system32\Feppqc32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Fdhigo32.exe
        
        C:\Windows\system32\Fdhigo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\Fomndhng.exe
        
        C:\Windows\system32\Fomndhng.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\SysWOW64\Gcocnk32.exe
        
        C:\Windows\system32\Gcocnk32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Glhhgahg.exe
        
        C:\Windows\system32\Glhhgahg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\Gohqhl32.exe
        
        C:\Windows\system32\Gohqhl32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Ginefe32.exe
        
        C:\Windows\system32\Ginefe32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Glongpao.exe
        
        C:\Windows\system32\Glongpao.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:236
        
        C:\Windows\SysWOW64\Gheola32.exe
        
        C:\Windows\system32\Gheola32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\Hdolga32.exe
        
        C:\Windows\system32\Hdolga32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Hkidclbb.exe
        
        C:\Windows\system32\Hkidclbb.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Hngppgae.exe
        
        C:\Windows\system32\Hngppgae.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Hjpnjheg.exe
        
        C:\Windows\system32\Hjpnjheg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Iqmcmaja.exe
        
        C:\Windows\system32\Iqmcmaja.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 140
        28⤵
        Loads dropped DLL
        Program crash
        
        PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bhqdgm32.exe

Filesize
92KB

MD5
3295fdca45a1d21cf9196a4bb1d03110

SHA1
65e162b24e73467e740f995a7cc92cd15f0478cd

SHA256
83ab9798879a0b93540ebbf674eeab94b3bc43e9c7a9c38be83daae26b888165

SHA512
5eb68293e868759335f92a3e7a27927e40a00a66ae53c089147a0912a33f80e4d77118abead765eb66cddf602a5b39f79b116db47606c70093ed6cce06008b38

Download Submit
C:\Windows\SysWOW64\Cbihpbpl.exe

Filesize
92KB

MD5
e501f370e2dd33b7317b696f42a11371

SHA1
ed37378ff85b63966ce6954e78b6ded3513c62eb

SHA256
b7c347640bf17a26261262820add6676f530af8784663cc124791662c1e24c82

SHA512
0dbf5f5d2214b280d2d235641cde1a2eb1ff5aeefee7a2027fa46feed2ccce4bd6788dc629346c160f6944451211f927bd3fee7f66d370e4606b4d08aefb3464

Download Submit
C:\Windows\SysWOW64\Gheola32.exe

Filesize
92KB

MD5
5da204672868ae21cfc063c2f1990b13

SHA1
b176a7ab253b01d4cbe6dfa4f2ca7d1a152741c8

SHA256
50329b216c824dcb1a114d652fc2960d5591e267cda7b3c2c01a64af4182aae0

SHA512
337af87067bcf6a50c2d56d955e1c047600e5bcfd74e0b7f3823383900949a895eb65f2987dd41276e01117f57ee8b33309edb90862ba25a1b4ae57c781534e4

Download Submit
C:\Windows\SysWOW64\Ginefe32.exe

Filesize
92KB

MD5
ae7ab6df106f2ecd783033b614017e23

SHA1
71f18f09701f20bdf6445b90996b0c1a1c976ac2

SHA256
b0c6623db6390f9acccbc2f284e37398627645f6a44b65b4b8cc0e3b0a8a0fc1

SHA512
2b5f4a9dc74ef774064018805bdf0e02279858d6458ea4283cb0cc3b2dcc4b1864cf71158b3146696344035d692f128094c7385bae945b6d9235793784f25daf

Download Submit
C:\Windows\SysWOW64\Glhhgahg.exe

Filesize
92KB

MD5
86e765013fdceac23f1b0a0996ae5151

SHA1
dd908821c5d0142b2cb5c0b95292ff95d9c8d130

SHA256
f45e7581512ed0948ce3fbbcd10bcf4822d528fff415b7d3e3d578e0401214e4

SHA512
a08a58de7f0cdd76b2be038c2fde02e9c0cf629f1af4f7af4b1e34383d9b2bac128a7394414c620b43fbc7550ac15cd0612cd4f5c0c2eb11c80a7b0a28a340f3

Download Submit
C:\Windows\SysWOW64\Glongpao.exe

Filesize
92KB

MD5
2a4f18aa2815f30b28f119f7da6b2c4e

SHA1
0e2339f153c0dbd1b6cdf58206ffb8276dd0cd7c

SHA256
bdf6d8e5c42c3d15e1021d443f1b4919cb2433eb7f0d362c99d696013c0cacef

SHA512
359b43bfc8f9b4a64505e5d6d884c0f3450e407aac75f38fd3e016150c0f80d0ad286c7898339953e5a3c702a933a2dea237babda560ac86664efb0e4d7c7daa

Download Submit
C:\Windows\SysWOW64\Gohqhl32.exe

Filesize
92KB

MD5
ffb2ec11b234b8114cc3de4092a47857

SHA1
bb640dd66cba0883dd93b9e0135cbc6335e613cc

SHA256
a7eff276fc351dd67ec9213a51cf45a9ce5516180446485d778903530f5309b3

SHA512
26d332afce364377d70469cb674134074a3806a852a99729c58367eba1ac89c9a8ac3c17eeb4bd3a128b2b9897c58ec5180dd28ea57dc5cc9249ed65bec7939c

Download Submit
C:\Windows\SysWOW64\Hdolga32.exe

Filesize
92KB

MD5
7efcce42cec27c7e0d931362d4aba57e

SHA1
984e753152eb972d11c7571727a4ca0f44deed22

SHA256
b0b3705bcf4fee1977733c5e55dd53f0c882687e12937c9a9d8b45e57b6dc26c

SHA512
6670e387f6177517f37dde0a44764aca618dc6e4b3f7155001f80451c501d5bb06aff5fd07759a2d4604c9fd02809131b89b12a1e3343a13ddd9913df5e46938

Download Submit
C:\Windows\SysWOW64\Hjpnjheg.exe

Filesize
92KB

MD5
381176265d91925ef61c59f8b1683e94

SHA1
03cdcf3447993e7db77941611e032621d69c80a7

SHA256
e9a13e99ca19f90bb791ea27f956fefb8a9e23a723ec105a6ee4f0b36f1b1ea4

SHA512
b72201ed8f9990f04ad936375b102af70df093dc63fbc871351f0ede40cab6a3998f4a14b46905807614af32d17ff622310a2a1ebc0f7d4a9a9161c7e5f3d1b6

Download Submit
C:\Windows\SysWOW64\Hkidclbb.exe

Filesize
92KB

MD5
7b5aa454fe177e5e3a602fe3ad07684d

SHA1
518c86e55dc9d1dcd7bc6dcbf36beb2dadc41a27

SHA256
632a8e4f88ccedc4a0924b44f0a6eec776e1092c50638bc954b4bbbe469cb05b

SHA512
69e8db28dcd0f78b11e29a71fc44a0ea87602c19331914d0848a646256a40dff055b1d1fa416e5dfa0a09329ea73b7b63ca638e98f7bfe11a53aef0d342d84dd

Download Submit
C:\Windows\SysWOW64\Hngppgae.exe

Filesize
92KB

MD5
263f94547d1172ccc1f68c4bae465b13

SHA1
203910f3034a49294a4e11ab775df57ca4fdeb12

SHA256
557b3162d230152d8f2f0291add2447570adb8f6e2dd706d06d41ed3f89c6c43

SHA512
ebadfe648b782172d90f0967bb82e28cf36d5f725c0127c8551cb2bb0ce888ce420b656563c96b7ff09a95d26abf1c031be678d5a80aebdd1f9183d48082905a

Download Submit
C:\Windows\SysWOW64\Iqmcmaja.exe

Filesize
92KB

MD5
003dd46b63bb02e44186e0ba8d333805

SHA1
cbf59b6de18964e3b06a542e5dc5fbab2d679e9f

SHA256
4a42160dad7c98eb8100ca9184bba4525883245f8f1f7fe5e42e13016b81d905

SHA512
5f99119401983c1fad634102a01ee7822ab17da6e189644e8aafb1e642879e75be4620727bdfa6c6e65132e3edd74d0f90af2192e4b13d595b0b8072db2f733b

Download Submit
\Windows\SysWOW64\Cjkcedgp.exe

Filesize
92KB

MD5
83f0094608b0427785555ff1b3ba1d29

SHA1
71e4d517a6571fd88e000da8a74c3e6a2c690b6d

SHA256
987498fcf2ed2cf40458edd1e9820e3e81750c7c41de33439bd41eb6a699af91

SHA512
abc829e2cfffc0a83494bffb48cba73676abafd22ba53465ff064cb93c43c457c27a7abafcecce4eebf7c3b30cd08a6d92097998a91c71a3e98a1e522964ef7e

Download Submit
\Windows\SysWOW64\Ckamihfm.exe

Filesize
92KB

MD5
166ab7fb6f06cae5c79e9e5b334bd1f7

SHA1
fc48869148638e4d1825fb92cc00c00923e7bf61

SHA256
36893d0bccef0ee27a8467f00cf71f4d507a9274b0948a2e788fdc5a39ebd329

SHA512
aa6ebf119e42c446ed04fdf7cc4a3901eedb6196c2eb4885c748b06ac580085c42e70fe98add85cce54348ef58129fc750dd5b0ffab3c2947265d66ad2f288ad

Download Submit
\Windows\SysWOW64\Cmbiap32.exe

Filesize
92KB

MD5
9b710a38c229fd66b7ce4c41f5bb97bb

SHA1
1cdb489ed06bfbf311d8c303e87890e66a58a285

SHA256
884636404c543b88de533770cbffcb038ceecf4a857410ba58c37b994701bee4

SHA512
c354db013d20ede46d7deb02fb1dd08251ec17cf03f413187f3e71ddcf4fbf0eee7dbabe08cfaa503c1c29e7c7454be44435a6e44cf807819729f7347eb1e87c

Download Submit
\Windows\SysWOW64\Dbkaee32.exe

Filesize
92KB

MD5
8ace4bd6beca3346b2af46b7732351f3

SHA1
eb13d231fa445c18b6e2f7fa093f772491f5402c

SHA256
221ea5d420a519402cded15a7a8058cc879a3425a781a0306bc3aa2c6c2fc905

SHA512
7ec052fb95f3ee1e47462243072bccb44f7e600fc418e7f01bf94c776f0e7de156775979bb0cc0e21bad0484018b789548c6ab6f7731c2fe74e53361bb06d186

Download Submit
\Windows\SysWOW64\Dfdqpdja.exe

Filesize
92KB

MD5
1d5df28588ecb02bbb9f098881b46bad

SHA1
1254f48195f74fbdfcd8e9ed898e4026c8910361

SHA256
e51f7559d73c9323fecca791bc9aa57886611d7a09a57164b105920c8e8ff67d

SHA512
76cf738950331c2ede81bdd052e5e5f92aea6b88b0d8f10b340d753b2c9b7457655661f8831ec2dbcafa463ccec7479ce73dc3c39ef1a1475af578e75bda76d4

Download Submit
\Windows\SysWOW64\Dmgokcja.exe

Filesize
92KB

MD5
03c1c149c5fff44051d6740559982eed

SHA1
9a6b5ef69750cff0ab2c55b76612ea5b08e51127

SHA256
53c41c3e5f6c996d5e0d78e1962bcabeeccf0c47589c5940d4adffca9d1c04bf

SHA512
40b6ca7ba27bfff35b0c74fbd3322a8aeef46faf34a9732c947904aa3340ab5b38488f0fed8950bbc79664a3a3851a63d3196cfae29ba3e5215ad8cdc5371fde

Download Submit
\Windows\SysWOW64\Dnbbjf32.exe

Filesize
92KB

MD5
4630121e6550a367cf174fd06ed8f513

SHA1
40258df17fefe04675ec7e7a5ea5ccba3fb49c3c

SHA256
dcd092288808931d3607f69018a7a93b87713d436f61db83ee10dc7033c58084

SHA512
bddf8ff2d9b6c20a13e363b9c0e32363ce74b8522c8b73c104ac4dc17520d50f2bad9c52f718adf0e5b643eef8edec53f079658dc662438d6ac570eb22a52eb1

Download Submit
\Windows\SysWOW64\Eabgjeef.exe

Filesize
92KB

MD5
4c8eeea86665d20a34b50cccf2c29199

SHA1
245854e638236bd992b577e6e8cb295acac404d5

SHA256
5f2c4905fb5bfeea70fc6b6e157d10fe0f22dce66bf573e40aabbb78344daf4a

SHA512
190e9e7e150a1bfc027146d2b9ac4e6cd226ae63fae7ebc15d8ff9b5f30d50b3d786ada3c2a8e8a0624121c90ddbd577200e46d04d919ccf83e7ac286417da59

Download Submit
\Windows\SysWOW64\Eoanij32.exe

Filesize
92KB

MD5
27d5d40d4538d911a85d52f927c4fc03

SHA1
efb8aea9919ba795135471bbeae14fd0424376e6

SHA256
c05658346b6bc7a13ec4e5cebc41457f91e3bc37da387c398992fbefeea8c976

SHA512
a4706eae90f53023913fe6c817e3715117d4be208f8ace89eaa229edf1f3ddc66836bc285491b7076fdfedb580f380b3fc10cbd000743b39eca0106c7e473ae3

Download Submit
\Windows\SysWOW64\Fdhigo32.exe

Filesize
92KB

MD5
ad6025635248447b9e92bac8de005029

SHA1
ef4db0096ff7d9cdb24d1c99b3b43d71ab9e373d

SHA256
7452bdc921a38d11b68757bbdb5d8878d84ef1b108ceb2979f816a335a6883d1

SHA512
2bc6d6c2529f96ef91e98ff724dcbc45e01d57028083773d5a064a997d6e8cf79b9c70b697c9edb370293e4a3de599744f4ffe6563ceb9a030e23f7b98c22b05

Download Submit
\Windows\SysWOW64\Feppqc32.exe

Filesize
92KB

MD5
7a9eff65971abd5eca2c614093ffae8d

SHA1
80b913b2d5e578b634c368f854e185ca76f424a7

SHA256
1bc170beae423a424f232c56de4b9a6117370e279049ed6db7d8eb0ffdb89728

SHA512
90ff02b6fff64042a5091b7f118db7f31675037fadcc9a3ae9ad83147624d370fdb8a2b3fcc5a233771a44469d13a3401783b01b37bf19bc9beb86afc573b8f5

Download Submit
\Windows\SysWOW64\Fijolbfh.exe

Filesize
92KB

MD5
ef4c3942406ebdf3beff73b9d899dfc8

SHA1
6c5b03478d84ef36ca6452e0792b02703e75ab84

SHA256
98e4e2f03132c8f5dda85323f398c40e31c8ba2145625785465397792ba5cda4

SHA512
d526dd1d3d667a935b8753bc5c1e852e1b63f246ac11a1b5afe7bd5a373f09fe9db7277922bc3b07299c2c85ac614842a867bbc3636732ad25a2dd435d768465

Download Submit
\Windows\SysWOW64\Fomndhng.exe

Filesize
92KB

MD5
62cc33ff23e39f686081d32cf839852c

SHA1
978393d261dc5be21d56f3734b7973b80e7dc980

SHA256
8f699a5374415496fd2d2d53edc4746bf8aa38082354c929bd15519c14f5a66f

SHA512
33dcc1ab9d41ba4f3349921e3459bfa41756e1eefbf4fde23028d2bbd74244a92c4af0dddb8dba8de18675b5829af78b0896caca2afcac7fced00cef69a13715

Download Submit
\Windows\SysWOW64\Gcocnk32.exe

Filesize
92KB

MD5
b54af78ce1472c9597cd8e8b29f7d3d6

SHA1
c11621ef62c67218a2f0086fcfc310a7cf56ee1d

SHA256
b0ca8f31f5eff48d9d7658c506cf5dc775081ebba28b4f6c94377f03c0780cb2

SHA512
e50f5ad71a5cbb90d07b283aabc6bee23925014429609c62d950fb7c2e3d18884b2a21e58e0e8ba397949c06211c4a39d4d0a74911d6e78d43867abe057faad1

Download Submit
memory/236-257-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/236-341-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/236-266-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/236-267-0x00000000001B0000-0x00000000001F3000-memory.dmp

Filesize
268KB

Download
memory/812-284-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/812-285-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/812-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/852-147-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/852-333-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/852-155-0x00000000005E0000-0x0000000000623000-memory.dmp

Filesize
268KB

Download
memory/972-287-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/972-288-0x00000000002E0000-0x0000000000323000-memory.dmp

Filesize
268KB

Download
memory/972-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1072-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1072-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1148-201-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/1164-244-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1164-243-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1164-245-0x00000000002B0000-0x00000000002F3000-memory.dmp

Filesize
268KB

Download
memory/1276-26-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-186-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/1508-174-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1508-335-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1548-332-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1700-339-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-321-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/1708-320-0x0000000000270000-0x00000000002B3000-memory.dmp

Filesize
268KB

Download
memory/1708-344-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1708-311-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-324-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-27-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-310-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2040-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2040-309-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2208-338-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-215-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2208-226-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2208-222-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2352-246-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-252-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2352-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2352-256-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2440-298-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2440-299-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2440-289-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2440-343-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-24-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2444-323-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2444-25-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2444-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2476-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-337-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2492-202-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2528-101-0x0000000000230000-0x0000000000273000-memory.dmp

Filesize
268KB

Download
memory/2528-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-76-0x00000000003B0000-0x00000000003F3000-memory.dmp

Filesize
268KB

Download
memory/2704-68-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2704-327-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-326-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2756-66-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2756-54-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-133-0x00000000002C0000-0x0000000000303000-memory.dmp

Filesize
268KB

Download
memory/2864-331-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2864-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2892-89-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/2892-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-108-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2992-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3060-48-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3060-325-0x0000000000220000-0x0000000000263000-memory.dmp

Filesize
268KB

Download
memory/3060-45-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads