3902f3b95398b5c54dfb4f360a01df5f71e292f2c9985e472eaa30b9a69bd25a

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 07:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7c0c60decdf066a201c0c35b3fd2270N.exe
Size

552KB
MD5

e7c0c60decdf066a201c0c35b3fd2270
SHA1

84d0b56b23942f1787b363a610b1a3a3ab587c81
SHA256

3902f3b95398b5c54dfb4f360a01df5f71e292f2c9985e472eaa30b9a69bd25a
SHA512

4a6daaf76e559986fa5e941c5eda691ebbf3632f5369e21c323a94ed6d821219a26c2920b0e961f9f5d5f2353184aedbd54172fd73ac3570d85068442221860b
SSDEEP

6144:5/R0udV+ZH8SeNpgdyuH1lZfRo0V8JcgE+ezpg1xrloBNTNxaaqX:tR0ur+587g7/VycgE81lgxaa8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fkemfl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccblbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddcebe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ecikjoep.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	e7c0c60decdf066a201c0c35b3fd2270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	e7c0c60decdf066a201c0c35b3fd2270N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcnlnaom.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Enlcahgh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgdncplk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dalofi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ekimjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcphdqmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Fklcgk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdaile32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Fjmfmh32.exe

Executes dropped EXE 25 IoCs

pid	Process
632	Bfmolc32.exe
3916	Babcil32.exe
2076	Bmladm32.exe
2832	Bbhildae.exe
2020	Bgdemb32.exe
1636	Ckdkhq32.exe
1808	Cmbgdl32.exe
3136	Ccblbb32.exe
2668	Cdaile32.exe
3408	Ddcebe32.exe
3720	Dpjfgf32.exe
3652	Dgdncplk.exe
64	Dggkipii.exe
4540	Dalofi32.exe
3960	Dcnlnaom.exe
1144	Dcphdqmj.exe
3400	Ekimjn32.exe
2196	Egpnooan.exe
5020	Enlcahgh.exe
1724	Ecikjoep.exe
4404	Fcneeo32.exe
1580	Fkemfl32.exe
2240	Fjmfmh32.exe
2092	Fklcgk32.exe
3052	Gddgpqbe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ecikjoep.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Fcneeo32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Bfmolc32.exe	e7c0c60decdf066a201c0c35b3fd2270N.exe
File opened for modification	C:\Windows\SysWOW64\Ddcebe32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Bopnkd32.dll	Dgdncplk.exe
File opened for modification	C:\Windows\SysWOW64\Dcphdqmj.exe	Dcnlnaom.exe
File created	C:\Windows\SysWOW64\Enlcahgh.exe	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjfgf32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Nailkcbb.dll	Fcneeo32.exe
File opened for modification	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Anijgd32.dll	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Mfikmmob.dll	Egpnooan.exe
File opened for modification	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Amoppdld.dll	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Ekimjn32.exe	Dcphdqmj.exe
File opened for modification	C:\Windows\SysWOW64\Fcneeo32.exe	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Fjmfmh32.exe	Fkemfl32.exe
File created	C:\Windows\SysWOW64\Bmladm32.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Dggkipii.exe	Dgdncplk.exe
File created	C:\Windows\SysWOW64\Fohogfgd.dll	Dggkipii.exe
File created	C:\Windows\SysWOW64\Celhnb32.dll	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Jjjfeo32.dll	Dcnlnaom.exe
File opened for modification	C:\Windows\SysWOW64\Ecikjoep.exe	Enlcahgh.exe
File created	C:\Windows\SysWOW64\Ajgqdaoi.dll	Ecikjoep.exe
File created	C:\Windows\SysWOW64\Bbhildae.exe	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Bbhildae.exe	Bmladm32.exe
File created	C:\Windows\SysWOW64\Bcominjm.dll	Bmladm32.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Ikfbpdlg.dll	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Dooaccfg.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Nppbddqg.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Clbidkde.dll	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Lnedgk32.dll	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Cdaile32.exe	Ccblbb32.exe
File created	C:\Windows\SysWOW64\Ddcebe32.exe	Cdaile32.exe
File created	C:\Windows\SysWOW64\Dgdncplk.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Dalofi32.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Jnakbdid.dll	Ddcebe32.exe
File opened for modification	C:\Windows\SysWOW64\Dgdncplk.exe	Dpjfgf32.exe
File created	C:\Windows\SysWOW64\Egpnooan.exe	Ekimjn32.exe
File created	C:\Windows\SysWOW64\Jcggmk32.dll	Fklcgk32.exe
File opened for modification	C:\Windows\SysWOW64\Enlcahgh.exe	Egpnooan.exe
File created	C:\Windows\SysWOW64\Fkemfl32.exe	Fcneeo32.exe
File created	C:\Windows\SysWOW64\Ilpgfc32.dll	e7c0c60decdf066a201c0c35b3fd2270N.exe
File created	C:\Windows\SysWOW64\Cmbgdl32.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Ccblbb32.exe
File opened for modification	C:\Windows\SysWOW64\Dalofi32.exe	Dggkipii.exe
File created	C:\Windows\SysWOW64\Dcnlnaom.exe	Dalofi32.exe
File created	C:\Windows\SysWOW64\Ckdkhq32.exe	Bgdemb32.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Ckdkhq32.exe
File created	C:\Windows\SysWOW64\Dodfed32.dll	Enlcahgh.exe
File opened for modification	C:\Windows\SysWOW64\Fklcgk32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Dpjfgf32.exe	Ddcebe32.exe
File created	C:\Windows\SysWOW64\Ekimjn32.exe	Dcphdqmj.exe
File created	C:\Windows\SysWOW64\Fklcgk32.exe	Fjmfmh32.exe
File created	C:\Windows\SysWOW64\Gddgpqbe.exe	Fklcgk32.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bbhildae.exe
File opened for modification	C:\Windows\SysWOW64\Dcnlnaom.exe	Dalofi32.exe
File opened for modification	C:\Windows\SysWOW64\Ccblbb32.exe	Cmbgdl32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3988	3052	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Enlcahgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gddgpqbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdncplk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dalofi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcphdqmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ekimjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fcneeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcebe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Egpnooan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fkemfl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fjmfmh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpjfgf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcnlnaom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e7c0c60decdf066a201c0c35b3fd2270N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fklcgk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccblbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dggkipii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ecikjoep.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooaccfg.dll"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fklcgk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nppbddqg.dll"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aammfkln.dll"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfikmmob.dll"	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjdilmf.dll"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Egpnooan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgqdaoi.dll"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll"	Fjmfmh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	e7c0c60decdf066a201c0c35b3fd2270N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dggkipii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	e7c0c60decdf066a201c0c35b3fd2270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dpjfgf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfhhpnk.dll"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	e7c0c60decdf066a201c0c35b3fd2270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckdkhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddcebe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fkemfl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Egpnooan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	e7c0c60decdf066a201c0c35b3fd2270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopnkd32.dll"	Dgdncplk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcpcgc32.dll"	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnedgk32.dll"	Ekimjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	e7c0c60decdf066a201c0c35b3fd2270N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Ccblbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohogfgd.dll"	Dggkipii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ecikjoep.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nailkcbb.dll"	Fcneeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodfed32.dll"	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bmladm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dalofi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjfeo32.dll"	Dcnlnaom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fjmfmh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Fcneeo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll"	Dcphdqmj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Enlcahgh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Babcil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 632	1352	e7c0c60decdf066a201c0c35b3fd2270N.exe	91
PID 1352 wrote to memory of 632	1352	e7c0c60decdf066a201c0c35b3fd2270N.exe	91
PID 1352 wrote to memory of 632	1352	e7c0c60decdf066a201c0c35b3fd2270N.exe	91
PID 632 wrote to memory of 3916	632	Bfmolc32.exe	92
PID 632 wrote to memory of 3916	632	Bfmolc32.exe	92
PID 632 wrote to memory of 3916	632	Bfmolc32.exe	92
PID 3916 wrote to memory of 2076	3916	Babcil32.exe	93
PID 3916 wrote to memory of 2076	3916	Babcil32.exe	93
PID 3916 wrote to memory of 2076	3916	Babcil32.exe	93
PID 2076 wrote to memory of 2832	2076	Bmladm32.exe	94
PID 2076 wrote to memory of 2832	2076	Bmladm32.exe	94
PID 2076 wrote to memory of 2832	2076	Bmladm32.exe	94
PID 2832 wrote to memory of 2020	2832	Bbhildae.exe	95
PID 2832 wrote to memory of 2020	2832	Bbhildae.exe	95
PID 2832 wrote to memory of 2020	2832	Bbhildae.exe	95
PID 2020 wrote to memory of 1636	2020	Bgdemb32.exe	96
PID 2020 wrote to memory of 1636	2020	Bgdemb32.exe	96
PID 2020 wrote to memory of 1636	2020	Bgdemb32.exe	96
PID 1636 wrote to memory of 1808	1636	Ckdkhq32.exe	99
PID 1636 wrote to memory of 1808	1636	Ckdkhq32.exe	99
PID 1636 wrote to memory of 1808	1636	Ckdkhq32.exe	99
PID 1808 wrote to memory of 3136	1808	Cmbgdl32.exe	100
PID 1808 wrote to memory of 3136	1808	Cmbgdl32.exe	100
PID 1808 wrote to memory of 3136	1808	Cmbgdl32.exe	100
PID 3136 wrote to memory of 2668	3136	Ccblbb32.exe	102
PID 3136 wrote to memory of 2668	3136	Ccblbb32.exe	102
PID 3136 wrote to memory of 2668	3136	Ccblbb32.exe	102
PID 2668 wrote to memory of 3408	2668	Cdaile32.exe	103
PID 2668 wrote to memory of 3408	2668	Cdaile32.exe	103
PID 2668 wrote to memory of 3408	2668	Cdaile32.exe	103
PID 3408 wrote to memory of 3720	3408	Ddcebe32.exe	104
PID 3408 wrote to memory of 3720	3408	Ddcebe32.exe	104
PID 3408 wrote to memory of 3720	3408	Ddcebe32.exe	104
PID 3720 wrote to memory of 3652	3720	Dpjfgf32.exe	105
PID 3720 wrote to memory of 3652	3720	Dpjfgf32.exe	105
PID 3720 wrote to memory of 3652	3720	Dpjfgf32.exe	105
PID 3652 wrote to memory of 64	3652	Dgdncplk.exe	106
PID 3652 wrote to memory of 64	3652	Dgdncplk.exe	106
PID 3652 wrote to memory of 64	3652	Dgdncplk.exe	106
PID 64 wrote to memory of 4540	64	Dggkipii.exe	107
PID 64 wrote to memory of 4540	64	Dggkipii.exe	107
PID 64 wrote to memory of 4540	64	Dggkipii.exe	107
PID 4540 wrote to memory of 3960	4540	Dalofi32.exe	108
PID 4540 wrote to memory of 3960	4540	Dalofi32.exe	108
PID 4540 wrote to memory of 3960	4540	Dalofi32.exe	108
PID 3960 wrote to memory of 1144	3960	Dcnlnaom.exe	109
PID 3960 wrote to memory of 1144	3960	Dcnlnaom.exe	109
PID 3960 wrote to memory of 1144	3960	Dcnlnaom.exe	109
PID 1144 wrote to memory of 3400	1144	Dcphdqmj.exe	110
PID 1144 wrote to memory of 3400	1144	Dcphdqmj.exe	110
PID 1144 wrote to memory of 3400	1144	Dcphdqmj.exe	110
PID 3400 wrote to memory of 2196	3400	Ekimjn32.exe	111
PID 3400 wrote to memory of 2196	3400	Ekimjn32.exe	111
PID 3400 wrote to memory of 2196	3400	Ekimjn32.exe	111
PID 2196 wrote to memory of 5020	2196	Egpnooan.exe	112
PID 2196 wrote to memory of 5020	2196	Egpnooan.exe	112
PID 2196 wrote to memory of 5020	2196	Egpnooan.exe	112
PID 5020 wrote to memory of 1724	5020	Enlcahgh.exe	113
PID 5020 wrote to memory of 1724	5020	Enlcahgh.exe	113
PID 5020 wrote to memory of 1724	5020	Enlcahgh.exe	113
PID 1724 wrote to memory of 4404	1724	Ecikjoep.exe	114
PID 1724 wrote to memory of 4404	1724	Ecikjoep.exe	114
PID 1724 wrote to memory of 4404	1724	Ecikjoep.exe	114
PID 4404 wrote to memory of 1580	4404	Fcneeo32.exe	115

C:\Users\Admin\AppData\Local\Temp\e7c0c60decdf066a201c0c35b3fd2270N.exe
"C:\Users\Admin\AppData\Local\Temp\e7c0c60decdf066a201c0c35b3fd2270N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\SysWOW64\Bfmolc32.exe
  C:\Windows\system32\Bfmolc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:632
- - C:\Windows\SysWOW64\Babcil32.exe
    C:\Windows\system32\Babcil32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\SysWOW64\Bmladm32.exe
      C:\Windows\system32\Bmladm32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
      - C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\SysWOW64\Ccblbb32.exe
        
        C:\Windows\system32\Ccblbb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ddcebe32.exe
        
        C:\Windows\system32\Ddcebe32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3408
        
        C:\Windows\SysWOW64\Dpjfgf32.exe
        
        C:\Windows\system32\Dpjfgf32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Dgdncplk.exe
        
        C:\Windows\system32\Dgdncplk.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\SysWOW64\Dggkipii.exe
        
        C:\Windows\system32\Dggkipii.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:64
        
        C:\Windows\SysWOW64\Dalofi32.exe
        
        C:\Windows\system32\Dalofi32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\SysWOW64\Dcnlnaom.exe
        
        C:\Windows\system32\Dcnlnaom.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Dcphdqmj.exe
        
        C:\Windows\system32\Dcphdqmj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\SysWOW64\Ekimjn32.exe
        
        C:\Windows\system32\Ekimjn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Egpnooan.exe
        
        C:\Windows\system32\Egpnooan.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Enlcahgh.exe
        
        C:\Windows\system32\Enlcahgh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Ecikjoep.exe
        
        C:\Windows\system32\Ecikjoep.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Fcneeo32.exe
        
        C:\Windows\system32\Fcneeo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\SysWOW64\Fkemfl32.exe
        
        C:\Windows\system32\Fkemfl32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Fjmfmh32.exe
        
        C:\Windows\system32\Fjmfmh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Fklcgk32.exe
        
        C:\Windows\system32\Fklcgk32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Gddgpqbe.exe
        
        C:\Windows\system32\Gddgpqbe.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3052 -s 412
        27⤵
        Program crash
        
        PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3052 -ip 3052
1⤵
PID:2488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,11391966286255097843,10588851088187498028,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:8
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Babcil32.exe

Filesize
552KB

MD5
f0b4f2ade8939a81087a2981c87cefab

SHA1
7a706f540f04f1f7416c33f5f5fce25b20b45669

SHA256
fa5483b7bfe82aef94744c7b3eef43eb5cfc20f0ae590ab0d3ffd39e84477ad1

SHA512
4abba55ee560eecb15282f151cf7ec31279ea5148b92d289e603c5771725e295bd575e275be1bbece0436cd652fa4b85cbe2ac5f2f4dabce0a8006bd7316d942

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
552KB

MD5
ca63c9d78de6075ecc0f63d14a488304

SHA1
d198248093862d0e648b7e64628887ff3a5cb090

SHA256
8d5f0d494b4bbbf2b71649f4825497c6b823e070d2604bb14acca34113cf3101

SHA512
73f4eb439115b506612ef2032cd700fc411172ecabf53fb21c5411eaa0587625d6de2f2c2f127ad1dad5452971de4cf608bd938bd426cb36cd8560c292721c00

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
552KB

MD5
80a93335b0ff30366089dee62b7ec6fc

SHA1
ffaf96214a4ea3a2004e3e13660108603ec4ed90

SHA256
0ae581ee687637ffd9c3dd4ca13de84feffa84664ce3231d746a692d9f2db211

SHA512
80a0aff1c8491647ccb4f4d48f972fcc12e82e552d9a86c652cc9d8743b3ea62ab8bf7a6bb682277cbba8907d2959e39d0a4a47f77d53fbb8f15f26b33e96563

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
552KB

MD5
2cefa7421c34e402b267e9e81dcfdf96

SHA1
7f7c5f6894ee1335c08351f50baa878c89df71d8

SHA256
4e107070df362b63c9e2b506677f23060cb1cd2b499aa881b3a29546e7f176fa

SHA512
9ddacdcd2342103e205a1dabfa4d66c6f6caaf2663b76a313da0d16dc9823734852d76f9ed892b35506cb93019f38d8c2093aab7bcacf289ea0e1812bf594e2d

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
552KB

MD5
b40c275e195eba9817ec884bf8d8cd6d

SHA1
7189275b2a4559ce9898bbe595e8290a29a51892

SHA256
f9e255c6459e745e292f2f4faba213d55c9334f46318c87020f6ac96cad7e366

SHA512
f10357fdd653c39c237ed7640557893d754928c5a9d6820ee08e94f1ef37020ebe319c0487decc80cd23886737251de84d6bbe484dc0eb8f42074744a19c86d0

Download Submit
C:\Windows\SysWOW64\Ccblbb32.exe

Filesize
552KB

MD5
c4d0769efbe64ff573ac2b521ad5909e

SHA1
c4bcd6fad7d0bcd76645f98c439107b91cf6ebcb

SHA256
dd9ef9b3d8a1ab7373cd919db729577c9ddf9635b959fd8e5f0ad84168c5ec67

SHA512
d9147ba6eda4d2dd9ec50f27aece8ed792783b1b00398b9908871db6cd47edb066543d8431ca26dd1c365f28e08acb361adfaa8fecee631d88456086acc82332

Download Submit
C:\Windows\SysWOW64\Cdaile32.exe

Filesize
552KB

MD5
8d0ca3fda9599a72221f651f6b9dd6d1

SHA1
10b58c7041f71ab361e56c4c230c6dc5af2b8935

SHA256
7539dbc85cea652ba608c4f8a6ae4f2ae795c231121283996160e510608bb38e

SHA512
fb1c59f3f9521e919ec182c79be2da1403daac67202fabe55a6c2405ec1a11831408bcba3a163e2e09804639cf5f6d474e7820ae250d948672c76284bc998830

Download Submit
C:\Windows\SysWOW64\Ckdkhq32.exe

Filesize
552KB

MD5
48fcce0a5f64d8dffdf600b35c369168

SHA1
677ef5a8629f993f55c8e91ebb06aec927aca184

SHA256
2b8cee118a90799caa4a72a54bce499b3785ca6dd287147f0965c69c4c9a61ae

SHA512
5ac57db899ea269fbbaed07ba7fce4eb0b61c30f90fea25d771c95a88bd02280be21cd2e074e7bd0465a81053ccc21efdbd6a50a899ea150a1338db285213c22

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
552KB

MD5
8102ffcce3755e7f9317c795e6e1788e

SHA1
1d693ea4499df055c5d1bc1e5acc0601fcfe2a77

SHA256
8d7cea10ec7b8775644941d1bda912bf0717687526b312b4b2ae1c1b327cecf8

SHA512
b7e3c9f7d26694104fb2c1f0c0035c31ef935aed4efabe095904149435dae9df596238c19ac885f03b059ac3f87ffb9da4085666c6cbab0a3be87bed549ad250

Download Submit
C:\Windows\SysWOW64\Dalofi32.exe

Filesize
552KB

MD5
dd7fdf9cf1e183989bf0ec75c67df47f

SHA1
8540d7c560228e5a991f270bc88faec2712ff5c6

SHA256
6f48dff71dea08661914f550db417ad0c0ae9bbcb6c5f496c91deee6cfce7718

SHA512
f5ae00bdf3f9f8d5db55725984674da1bad847a978da5befea22854dcb1911727be32a6898cfabba3fb06c207ec24d92575d9ef30b265cf6ce2a1c9bca615819

Download Submit
C:\Windows\SysWOW64\Dcnlnaom.exe

Filesize
552KB

MD5
8dfb080a5a27bc3373f66279e653f201

SHA1
9cdda36d3a70dcac8c1e5b8ee3f62d4d1dbb1d8e

SHA256
0fd6776dc8b417966de2c806734dc57adb48dfc1027f77f134842206651d11ef

SHA512
1325e5e634467544a5d912c49f2493e8b11598ce3ba6d6f5e4c3dad6baf17359bd1b452353b7f96b524a7c04a4b3ab4ddee3fcbee990917578ada09a50a1c990

Download Submit
C:\Windows\SysWOW64\Dcphdqmj.exe

Filesize
552KB

MD5
40d8280d008c71a55e6b65d588cbac31

SHA1
82b69cd56d3af5ef164e2fb1ddc83760f82c650e

SHA256
8158ab0903ebdf70e2da1ef290fb372f786ba4f2a73f14e01e67628a89e029a1

SHA512
9d192b9121f0f99e209d9df499fb3afc167c85050e2d92d70287381dc2f434e27a3dfec5d5d16f0b834799fc751c747d25fbd0cf4f07757405b5209d97f6c69a

Download Submit
C:\Windows\SysWOW64\Ddcebe32.exe

Filesize
552KB

MD5
4716a8f4152c61097f26ee3fa494c0ab

SHA1
5070a861ec96554cd4e35583717c4e10ef69eed0

SHA256
c8f6686fed079a515cd57ad0a0b553b11114a0cedf3cbeaf7ba813ae500f74ae

SHA512
aa0f9da3e5ec7a8449de6f3dc036fad0349845506fba4784cea3a714844ac0610c4b0e208f1d99a81bbd9202ffab363d08ac2b501ec70b22ac237acd97070d1a

Download Submit
C:\Windows\SysWOW64\Dgdncplk.exe

Filesize
552KB

MD5
417848b4fbb81a23ac781fd705ebde8c

SHA1
19352b88e9646ed28cf78f4a391109f5ed611010

SHA256
1b1e9da58889172c852f3930d83b9369540ed0827107e90f8df37f025e03a2c0

SHA512
7f8924650fd644c455d3e285d98d95ee124d8f97c093fcb9e1d0db51499ae3fdd250162e5f64c6aae5a936120fccc9655f822640e8e7376a19a36d02fc4eab07

Download Submit
C:\Windows\SysWOW64\Dggkipii.exe

Filesize
552KB

MD5
8975303288f83777c1a557214712341c

SHA1
4b0439d8f99bf15d747844a81d3450319a57e5d7

SHA256
20560f27f4f3079d9a4778d5f8d458b1d62c7d36012eda1a7133658fb7cecdaa

SHA512
432117553ae07f1fcfdb67f14adc3e0323bc8230154542c8cbc39eb5de618c7603987703bce157f8edea8d32c6bf218af25479a2c65f63763aa830c5acb8e827

Download Submit
C:\Windows\SysWOW64\Dpjfgf32.exe

Filesize
552KB

MD5
605e74342b60b12df3e702b4030f7ad4

SHA1
31d36837a97fc567fb00224fe7c1e3509dc850de

SHA256
3a9f7147d569da607c511917425169f71a63870f26b9aaa437c633e1ab398e45

SHA512
4c78d18417d4b39cc3060f5731bae8988388a7863de78e42508e54ba79831123f89b24417e8327ed3fdfbd56781f1cec46d49e278935d291edb8f76b01634ca9

Download Submit
C:\Windows\SysWOW64\Ecikjoep.exe

Filesize
552KB

MD5
6f9c3a5df85aa3f37abad93b85c99e0a

SHA1
ebe98b8da21894de958b23aa3680e784bcff1d93

SHA256
d730a00f888b6aae008770943c5510419281ee90c8ad8bf97c8b54d121a93ad1

SHA512
39fb4d9c47956040f9d569673e3fc2c000c9c4fa5742f443caa73ba011a4a886994aa1154843be122f834223b1a03ca41f746058b69ea6de2ff279b7f94cd7a5

Download Submit
C:\Windows\SysWOW64\Egpnooan.exe

Filesize
552KB

MD5
f0ad5586e2e9fb97c0b9717000f7f11c

SHA1
a2d3e0d270c363a9cf83e3615bb079aefc3ee7d7

SHA256
44cef25f5b62e31e21cab3be5687571c6088ed59a41456fb4b938ee8a6ece78a

SHA512
ea799aca59897b0d36d276ab4aed0dfd1762abd9ff34d73b0bf230de434fa54f37c8053af19f1d17820fff0b0ca99f59d1a33d134a68ef8a1f3bc351311df3ea

Download Submit
C:\Windows\SysWOW64\Ekimjn32.exe

Filesize
552KB

MD5
b7d689921e7cb46d790b193820f4a526

SHA1
1da6e92e9463272e7691bafc2a87a9850908c2d5

SHA256
f483aca04b7446a6f90f273f245d06a855e87cd00c974bc312b103caffed878d

SHA512
46219f1e5b5ef0f11b6876cc3017f1dfbd5fdcf985be1a2455ee2c20799ba0bef4262a2009eb93490d912cf1cb6aafb6922feb86a7cab0fae82777dbff25fae9

Download Submit
C:\Windows\SysWOW64\Enlcahgh.exe

Filesize
552KB

MD5
09013ccfe3bf5de0b8229dbdfddae1fc

SHA1
b2ec5d746ecd8a7683f4a177e225f03cb82830ef

SHA256
9a03327d5f602ba9daa77f0982d5e0d3d9c44e55a9991cc878c1e9de1c5f4fd1

SHA512
c3b7172dfbe996ad26e46e95ca932369ed14e7d969b54475ab9fe64b75f4eeeef8ab8c0c47da2cbfb8e48960201ef912a28b1ffd1bb2f6e94db2b48e145cf585

Download Submit
C:\Windows\SysWOW64\Fcneeo32.exe

Filesize
552KB

MD5
841083a2daca67b9f5463f278ac37429

SHA1
2bf0ae9ca7cffd66d065ad2ba7678e8fb064b9e1

SHA256
3e3eadfacb4478da1bc43dca5aaefb7df98a3b1d32f22fed811d8c03f2a76b7c

SHA512
e523d17a17f576651b530ba8256b2d1b21df52aa978a145c0e7a8c4854fc883c2201de8b5400cc34dfa0f77610a0e9c0cc80ef1e7e957c745cd2817274bfa06c

Download Submit
C:\Windows\SysWOW64\Fjmfmh32.exe

Filesize
552KB

MD5
b5f39f1e54358453430dfc51ab2094f3

SHA1
5115ef0eb59699a9b0a9a46b41b879c6327c6ec7

SHA256
aca0eb4dea715817d451513a7411714b9eb56588244e671abf3f525fcff97303

SHA512
e75f7464b41eca7fbb0a480896d94de6289edea697d7907977d4eb0d0b3cbaf9f24e616afb83ad4f070cf1ae7f3bf3f60cffeeafdc80197848246bc89cf7a4ae

Download Submit
C:\Windows\SysWOW64\Fkemfl32.exe

Filesize
552KB

MD5
70f5aacb3e9ff04c3c07bf03ac1c1b33

SHA1
49c9c38334837b42f9305b67c8a9c1104dff563f

SHA256
aa078fb4ac806a2cc6373e620e23c1976ac94378312f9dac2a3290649dcece26

SHA512
c2333d8c4203ced8f48ec1f5ca03fbf70174fa5a49d81b8586d4657d57375f54d1fcc11bbbc43f26f6f27d3b2cf51bbb9f9da3582bf6466075c5d416ca760a1b

Download Submit
C:\Windows\SysWOW64\Fklcgk32.exe

Filesize
552KB

MD5
623236509619eeeb03f2336603feba78

SHA1
2fba457e75207a4a13fa544c15a5c8bf0fde64cf

SHA256
de13a14ce126f2ad9a137ac60846e47ea85359b8a4de6cb8be6a199269b5b5c5

SHA512
469e53da2a9dd9f6806e8ee8dea53bfd3be61f2ff3bfb0f4bcb3afd1881025583b252b2b7b9e74a92ecbc81080b8b9367c08ee70c4fb5bf02eb5ea55b7c75775

Download Submit
C:\Windows\SysWOW64\Gddgpqbe.exe

Filesize
552KB

MD5
ef6137ea7763ad35d0f340db0821b09d

SHA1
5580bb14ebee360a1acab396c24fe83965ca469f

SHA256
d5f738f5b33d5ce123e49feb8343368c582e1bc5cf0878bfab9366631f106083

SHA512
49749bcf10407069cb433b93aeb86e3dc11f18614acbbe7073268eed907e497329e3de5e44dfce202960c5931dfd0caa97b6548398310a1e527dbb0fdfc1f8f0

Download Submit
C:\Windows\SysWOW64\Mkddhfnh.dll

Filesize
7KB

MD5
fb3fb21de6174638fd7b6251c3ad43ac

SHA1
42f245d72714dd28fb1ac5c00eb53914efae1146

SHA256
f9e45ded93f4e99cd10b6484e4bb84c67f3c393fcb87dd7582f0582ae984df8f

SHA512
157e16bbcdc15bbc05c340cd5737eccfcee1012828499110002e2e194949f20deb3c44b2b1bf3e369500faa7a15bf9fd3c744d92a99f0c017b56ba1c765c1af5

Download Submit
memory/64-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/64-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-12-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-218-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-127-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1352-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1636-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-211-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1724-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-55-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1808-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2020-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2076-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2092-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2668-231-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2832-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3052-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3136-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3400-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3408-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3720-227-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4404-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4540-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-151-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads