7843fb171a00e21e8a35f605c706a84ee9f899dfae022d5e317ace1b8a87ae2f

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

046665e8e68626cb96007f5ef5ce4fe0N.exe
Size

400KB
MD5

046665e8e68626cb96007f5ef5ce4fe0
SHA1

6058e000d705fcac9789b022c04dd7d9e4ea722e
SHA256

7843fb171a00e21e8a35f605c706a84ee9f899dfae022d5e317ace1b8a87ae2f
SHA512

2f90482b812e1deb0c34e9ef7cd0c4cc5c5c52fa0ed6d0534668ee7516126ba0376303b098cdf4552e179e483314f4165f4e8a42930437e1832309818a7c4874
SSDEEP

12288:Q+aOdpGvH6IveDVqvQ6IvYvc6IveDVqvQ/:xpGq5h3q5h/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe

Executes dropped EXE 26 IoCs

pid	Process
324	Bmbplc32.exe
3712	Beihma32.exe
4640	Bclhhnca.exe
4424	Bcoenmao.exe
568	Cfmajipb.exe
1216	Cenahpha.exe
3872	Cnffqf32.exe
3640	Cdcoim32.exe
1408	Cmlcbbcj.exe
5044	Ceckcp32.exe
784	Cnkplejl.exe
632	Cajlhqjp.exe
3552	Cdhhdlid.exe
1112	Cjbpaf32.exe
872	Ddjejl32.exe
1960	Djdmffnn.exe
408	Dmcibama.exe
4552	Ddmaok32.exe
1316	Daqbip32.exe
1404	Ddonekbl.exe
5036	Dmgbnq32.exe
2524	Dhmgki32.exe
2448	Dogogcpo.exe
4372	Dddhpjof.exe
3320	Dhocqigp.exe
116	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	046665e8e68626cb96007f5ef5ce4fe0N.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	046665e8e68626cb96007f5ef5ce4fe0N.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	046665e8e68626cb96007f5ef5ce4fe0N.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Dmgbnq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	116	WerFault.exe	111

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	046665e8e68626cb96007f5ef5ce4fe0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	046665e8e68626cb96007f5ef5ce4fe0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	046665e8e68626cb96007f5ef5ce4fe0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 324	4516	046665e8e68626cb96007f5ef5ce4fe0N.exe	83
PID 4516 wrote to memory of 324	4516	046665e8e68626cb96007f5ef5ce4fe0N.exe	83
PID 4516 wrote to memory of 324	4516	046665e8e68626cb96007f5ef5ce4fe0N.exe	83
PID 324 wrote to memory of 3712	324	Bmbplc32.exe	84
PID 324 wrote to memory of 3712	324	Bmbplc32.exe	84
PID 324 wrote to memory of 3712	324	Bmbplc32.exe	84
PID 3712 wrote to memory of 4640	3712	Beihma32.exe	85
PID 3712 wrote to memory of 4640	3712	Beihma32.exe	85
PID 3712 wrote to memory of 4640	3712	Beihma32.exe	85
PID 4640 wrote to memory of 4424	4640	Bclhhnca.exe	86
PID 4640 wrote to memory of 4424	4640	Bclhhnca.exe	86
PID 4640 wrote to memory of 4424	4640	Bclhhnca.exe	86
PID 4424 wrote to memory of 568	4424	Bcoenmao.exe	87
PID 4424 wrote to memory of 568	4424	Bcoenmao.exe	87
PID 4424 wrote to memory of 568	4424	Bcoenmao.exe	87
PID 568 wrote to memory of 1216	568	Cfmajipb.exe	89
PID 568 wrote to memory of 1216	568	Cfmajipb.exe	89
PID 568 wrote to memory of 1216	568	Cfmajipb.exe	89
PID 1216 wrote to memory of 3872	1216	Cenahpha.exe	90
PID 1216 wrote to memory of 3872	1216	Cenahpha.exe	90
PID 1216 wrote to memory of 3872	1216	Cenahpha.exe	90
PID 3872 wrote to memory of 3640	3872	Cnffqf32.exe	92
PID 3872 wrote to memory of 3640	3872	Cnffqf32.exe	92
PID 3872 wrote to memory of 3640	3872	Cnffqf32.exe	92
PID 3640 wrote to memory of 1408	3640	Cdcoim32.exe	93
PID 3640 wrote to memory of 1408	3640	Cdcoim32.exe	93
PID 3640 wrote to memory of 1408	3640	Cdcoim32.exe	93
PID 1408 wrote to memory of 5044	1408	Cmlcbbcj.exe	94
PID 1408 wrote to memory of 5044	1408	Cmlcbbcj.exe	94
PID 1408 wrote to memory of 5044	1408	Cmlcbbcj.exe	94
PID 5044 wrote to memory of 784	5044	Ceckcp32.exe	96
PID 5044 wrote to memory of 784	5044	Ceckcp32.exe	96
PID 5044 wrote to memory of 784	5044	Ceckcp32.exe	96
PID 784 wrote to memory of 632	784	Cnkplejl.exe	97
PID 784 wrote to memory of 632	784	Cnkplejl.exe	97
PID 784 wrote to memory of 632	784	Cnkplejl.exe	97
PID 632 wrote to memory of 3552	632	Cajlhqjp.exe	98
PID 632 wrote to memory of 3552	632	Cajlhqjp.exe	98
PID 632 wrote to memory of 3552	632	Cajlhqjp.exe	98
PID 3552 wrote to memory of 1112	3552	Cdhhdlid.exe	99
PID 3552 wrote to memory of 1112	3552	Cdhhdlid.exe	99
PID 3552 wrote to memory of 1112	3552	Cdhhdlid.exe	99
PID 1112 wrote to memory of 872	1112	Cjbpaf32.exe	100
PID 1112 wrote to memory of 872	1112	Cjbpaf32.exe	100
PID 1112 wrote to memory of 872	1112	Cjbpaf32.exe	100
PID 872 wrote to memory of 1960	872	Ddjejl32.exe	101
PID 872 wrote to memory of 1960	872	Ddjejl32.exe	101
PID 872 wrote to memory of 1960	872	Ddjejl32.exe	101
PID 1960 wrote to memory of 408	1960	Djdmffnn.exe	102
PID 1960 wrote to memory of 408	1960	Djdmffnn.exe	102
PID 1960 wrote to memory of 408	1960	Djdmffnn.exe	102
PID 408 wrote to memory of 4552	408	Dmcibama.exe	103
PID 408 wrote to memory of 4552	408	Dmcibama.exe	103
PID 408 wrote to memory of 4552	408	Dmcibama.exe	103
PID 4552 wrote to memory of 1316	4552	Ddmaok32.exe	104
PID 4552 wrote to memory of 1316	4552	Ddmaok32.exe	104
PID 4552 wrote to memory of 1316	4552	Ddmaok32.exe	104
PID 1316 wrote to memory of 1404	1316	Daqbip32.exe	105
PID 1316 wrote to memory of 1404	1316	Daqbip32.exe	105
PID 1316 wrote to memory of 1404	1316	Daqbip32.exe	105
PID 1404 wrote to memory of 5036	1404	Ddonekbl.exe	106
PID 1404 wrote to memory of 5036	1404	Ddonekbl.exe	106
PID 1404 wrote to memory of 5036	1404	Ddonekbl.exe	106
PID 5036 wrote to memory of 2524	5036	Dmgbnq32.exe	107

C:\Users\Admin\AppData\Local\Temp\046665e8e68626cb96007f5ef5ce4fe0N.exe
"C:\Users\Admin\AppData\Local\Temp\046665e8e68626cb96007f5ef5ce4fe0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\Bmbplc32.exe
  C:\Windows\system32\Bmbplc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Windows\SysWOW64\Beihma32.exe
    C:\Windows\system32\Beihma32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\SysWOW64\Bclhhnca.exe
      C:\Windows\system32\Bclhhnca.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
      - C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1216
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3552
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4552
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3320
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 396
        28⤵
        Program crash
        
        PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 116 -ip 116
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
400KB

MD5
34058c5f6b451a7770636f65a226cafc

SHA1
0fc8e3135477473bb72efca7f82b692742fa57f4

SHA256
2f93ae6cb45039047dc3413c5f35ffff02a00e9c2a36982b73d65bad739fd330

SHA512
47c2310f2c27b72b899d3941251c8f6a20770dcef0d427f0c3a85fee56c78b4452678548cf7387ee50c0a15583eec01e96743b6651c88cf5e9e1508fde1c533a

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
400KB

MD5
2488619a1f9d44f759eaf50cd2df206b

SHA1
dff930515289fdc5e853dec5bf6355a2ccdea956

SHA256
697b455e39087cb23c41c3dd6f0b24cfd15c01570a47f9635cd2c638c50568aa

SHA512
14ae8c2fb58f1aac9caff1ec4316e0587960b7ca2df5d81eb47dd50cd35e40639349e9a956b8797e17038b0f09b4297e2ad2863c0ae95dad72de33ac92377a31

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
400KB

MD5
dbc58dbd6a11efde59f5d930b0146f80

SHA1
20c83e2dab92293219c00f774888ab20849365d6

SHA256
80a0ec64163b2749972d8fd9f7da4a8d0811c015d1f0eba21574914a76427d7b

SHA512
3f56415f037c1e471991d64852c3386a08cf39971acae7db504c315c6d730302badc2c78ea25c9dfc697e39729f2a41ad58931d57ad54cf0a691fc658058c4fd

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
400KB

MD5
b4f26ba6990298f4ce94eae39dca6803

SHA1
90fc54bd06b5550e1e5cf55be114986a748eef1c

SHA256
cbbd7800140958f4cd7ba3105eef22782073c091ef4515d1a7c8bb72e2ffb81b

SHA512
10a40bbf2c889cc35b078d6e55c511ef358f25382f832bee28860069202550ef5d4abc59b2491666fb2645d366a1afb994d3d7e4dc32d3b979614540e20542f0

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
400KB

MD5
bdf70250da09a43ec2f780ddcc5a9e6c

SHA1
9aa182000e24b15b20ea6111033f7d6d79929747

SHA256
a935a4d525fd5cd142fde72011abe0bb306a8a55f3027b664ba8f1a2b439b728

SHA512
ffff7d1708852d0ae6be6a154a09013238f8603cfe9b6df24d00029fd402026dad548282308507581facb441afd2bc54c515189aada36527e95831b25acb44c4

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
400KB

MD5
1ac40163ed0ae1cc01e8bcf7e0ff634e

SHA1
21ec3a4e43c1c543971a1ca3de8b405909caafb2

SHA256
e339d2cefcc049b08758bd75c736623c4cc503ede0993d12297e4c9c57e8e7e5

SHA512
9148136ca1861eb4d56fd21661146646afd83965728337dfc779dee529377eb69574d5cb19fdc421a4583a33a6b78ccae0f139ec4c655d0a793bb47f1e2a6c86

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
400KB

MD5
661b6ea6e658699c3aa5065631f55a68

SHA1
7fccd94cd0ed7792225be34294baaa0fe9ec687d

SHA256
8fb4017c74f9a32c76285a1c10db0a95ad05202b00afc206d1bf280f0ba50b30

SHA512
46d0be1fdbdfea66493434473ffd6978474e2712abb54023d21a25682c6f5d1a138057621ddff53619a3d0ece711bd907041cccd003f75f73ed18d0037b5bf39

Download Submit
C:\Windows\SysWOW64\Ceckcp32.exe

Filesize
400KB

MD5
e60b1b30f8868d6d5911ef0c231b3f97

SHA1
e7be4685a901531415b1be0dd4065aab27ee1ac4

SHA256
def5a3b4f145aaf5d4278d79e2f2f56e3b68582b3c4a01ff88deb9e7de5c095c

SHA512
dafc2103ddb82931f2701ef6aa798e492241451f3f856913c6177f1ac9685db5d27d62233ad73b83220a9b8d64629e99c880be7e9a0dc7304ee99b7a9cb1ffc0

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
400KB

MD5
fccdd2516518660c872c00de8e85c3e3

SHA1
ee5575fdb1dcf22145a3473dfb80ca7dd410ba26

SHA256
1cee075793f4e09f8911f1697ccf75012854bb9105455d8f5daae4891c9ca9af

SHA512
c48723d8dbf4562a8e56357007dfdeef380a43f224a1db093c227b24c6f05becd8de377bb64bf815f16bd776ce45c7172d7e27ffde286d09ad1ef4ad058321fd

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
400KB

MD5
f7310835793f5b4d919f110db965f4ab

SHA1
c0d90c6a535ef435831475562c4429a2aaef67eb

SHA256
454bf82046a650f0f7c473aa3a3abfbcf581be5c8c53e3432110c9b99a9f4abc

SHA512
de4a493b100c2500213b32c0ffc61f35f5d51d2b172ff4cb0bf1ce67e77e44b8cdf92db59fd998d4c9aa49d8f606981651cf42692b04dff1d873dad752ab7fcb

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
400KB

MD5
a942cdde9fd903cdda9e2c7a571af068

SHA1
db90042e47bbb255b86c0e5e05e7f40288830b02

SHA256
87565804a2db56fde30497f6be61d4d97834c517921fe7a8008921e1e1ca7308

SHA512
7adfb4343738aa1dd99f4c11603c163b4c231a3f300bed857307421d6889d8887d323cb839852ca87bc123a7d8c935ed6a148601c10121ee09b3de805f18715a

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
400KB

MD5
d74d8da9a033bdd63c22cecc3e2338fa

SHA1
b42b3f9eafccfd0a8a970fc884f8cd174d49c1e9

SHA256
e2f35b83d7d2e7f13e947cd29fe1991140f3be76f46aec1bd95831e13c6282ac

SHA512
7e19ae7ffdd5325280df7ec403f0172ab69ab2d061eaa7038e122bff426648a5ca91ff9550a9d6e315de83cc02a81894cf837a31ff0ed3a983ba5a3275983985

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
400KB

MD5
378f500520901b9ca338a45b2c725635

SHA1
507bc3d89f82db7c0d8147ae79da4c87be7d9254

SHA256
b2c059f2945ef464641ff141d7486bfe6fb14c2169d935d52d998b0710b6ee18

SHA512
b84a69d691b9f33b176c440d50ccbef13cff389f4d98837d296cc9f4912b41a1d718d73226952440ac965f1441b9024886259d1162a328d57da823e0e41a4054

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
400KB

MD5
b1c286c7eddba17f5112a47459ca6c59

SHA1
5bf4c0b52d4a69227c10f515973f1922a4f19aa5

SHA256
55fbde6aa6b1e77d461f2c7f1bde1cabacd23aabba037db7630f4e6d309d54b7

SHA512
fa3c9324211c668c59eead49775e93fb9f092befa0b4ce46cc4a65db38d9fb30ef2afa8efa30a102821c529b561b888d532639d7d4467728c557a000125c37f8

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
400KB

MD5
90af1ddd9b32353c411aa573763f0638

SHA1
16151753b6ae6247b8c06d28176af5f05745ad9d

SHA256
b26c0217a9e5cf05fb54da246cac9b8c7a60f39c34ecd9a7b70af5e86684cc46

SHA512
e8c255fd9e1de486cc0b4525f91a160fcb270b390a47b0a49bf5f5f279ba36cd48b5063f79fd5e1948403d66f74ccbbcc75b584ccc45ea59127257a8a97f9b41

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
400KB

MD5
c010c31501306173dca76f28c0509f9b

SHA1
602dde5330b332fc5ea63ce89e7556bb2de93365

SHA256
f95cdf7b0ebaf33f716b0ca5be0759c87a341daef0279ff09697044e1f8bd81a

SHA512
3bb4f0a69600d935b6dd6216ea24a87c8a04255a4b72f2fb039204e16df0eab20852e26a82f042f61d14283b35b4eda904ac1ee3c57ec7530e5d2ab7613fe823

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
400KB

MD5
731b2e2789f402b5d0c337fa31738a2b

SHA1
dc4d8c3ae9f1e5fc7135b98ebddaeea46bbb7968

SHA256
e875d5443b7d041e32a7e2a1e83db0c5a3d5e32a9986c7d9aa1989c848c0e407

SHA512
8b21eddf924a4edb61a81248d77e1e63a1bfb9bb2a5591e0dae8a40ae0bbcaa13becd4536ac5216dc2304ee529ebff857a364425e03ad0db163832ff9c1dc450

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
400KB

MD5
dea8449704ec4c980821b221c7f7be44

SHA1
808e83b2addcba5da7ad9f32647473a7768f0420

SHA256
4719b965e7a318be9b32a249582a2cd567f15cd215e79b6e69095dc453fc46fb

SHA512
6d3096e1759e6328e09f4d65f6075cd1c023d9f4cbdb6a04db0bf0c4f232fd1eae0e72068718c7f88519341f8d8d631cd4ff4fa4366a82e8ccb6c76510cde90e

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
400KB

MD5
15718dfffee4eb50ebf929e760ad8733

SHA1
da636ecb6336c3fa5056c71744c412245c2980e1

SHA256
b3510b656ee243d49c412cd4bdc2b9d17eec59594654df0bee254ba3bb44f0e7

SHA512
264f63e54d762524ab37ba42e5b86d40073ea65cc28c9cadf6c375a4edfbe1f083f6f934f4c64ecb564505338a4b1e19cfc9ded5aeaeef3cde7f6c540755fd80

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
400KB

MD5
540f146af2d96a22fb4cbfc30965ccf0

SHA1
8fb668c4134b3755c898ff6dd73c5d8b86d1493c

SHA256
77fab406c9de9e80482c27898ce1240d7e1078baa08ac4fe9d3285d9dee9f0ec

SHA512
10b143566d08006e72f8c86060b24ed053ae00332f2c36c7ccc8c724dee5e64ab9433342fcb8df1916810b29489aa00ff17adb4968d02ba524c9ba176e077fe9

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
400KB

MD5
85c60ef807c34bc66f85bbef45831d67

SHA1
be9cbfc4ff3d43684f9dfe1fe711668f0b138bed

SHA256
e87e0fc801170358cff812256e8ef9bf75718902babc14c8c601e431eb0d28ea

SHA512
d2e953ffd01956799654f4b4d6fff0e4b3edf25cef1d5212f9680d371c62e37cfad5e99bf7c44d29b8a6f077c04bfb4f26b5c54cc8dcdc6e2a221b1c3cf2cd1b

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
400KB

MD5
d948d9842aaebc7eae30336c416d28e4

SHA1
8fce43500fbb6e8205ade8854218d9454704dde8

SHA256
8f8b864514bc753d69b1b7e63b09659ee519918a5dbf1657349dd1df76fc6580

SHA512
f42e17a15448fab2c5d85048840f4066e586e2bae85e79a728fbea2e591f4c17cda7879ce22eb78d926aa7fb55c3ea86ea854f9c6ac61e8008558eb3fb3b01fd

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
400KB

MD5
4bbf40386dd3b111f315ef70e06f7577

SHA1
6e4dc418a201bf8920b4fdbce5826e9ba569a107

SHA256
8b27c84baf77c739ea51077499e6c72c346867a822dc1fa0b42068c7ad96777b

SHA512
de7c2919fc4c5b5b9d6fde30bc9a9002556c76ca954f3201c33a8c97a058243373dfd003fccb29c180fef7f201c728ff5c6766491b43cf61c3a38e7b60a71898

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
400KB

MD5
55c579d601fd82d343b3fa104e0bdfc3

SHA1
fde9f1f78bbc3736afe7989bd3bfc0905bb7a079

SHA256
8f76dfc3a7c869d3041cb549683aaa1a93ffb45f3712934184e4a2d3c0d6754b

SHA512
a898ca648f7f93247edae5084d6da8b7474f5c2b63ceb01c5f63e52b850b8323e04239c3f48ccb663f022a9180544a3125b72c0a8f6584f6087aff14279f60bb

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
400KB

MD5
36d223580f07095469bbce18906fec7a

SHA1
d8d155eb07113b68fb98d5cb3a77417bc02c710c

SHA256
ed2d96bf08a94d62c02bbd604e907fcda8e4de8a965c29755ad54c44639f4867

SHA512
0431c8ff6ed4f7c86d6fed882a8e52b669d1ed357403f762ef00dedfafa1b1f85f195acb0288b30e9c4dee366cc025848d5287eea015b555c8e7999b67cc6e36

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
400KB

MD5
b37f9b48d09df740449db1e38f97e574

SHA1
44b29a0a1eae7d32be6566f87dd1f5216e2f019a

SHA256
f15a9ccfa8d4022cb1fe33495493512ebd5fdf0aaf3ab1d31402234c5af2854b

SHA512
5ecfd21c6354dcbaf0c0d8cfef4f95b48a65f8b059d82e9bf32d0975e9113ba57832d720c3380837b4c44ddf3bd0eb603655d3358b0c0fe5021a0c77f1782c43

Download Submit
memory/116-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/116-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/324-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/408-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/568-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/632-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/784-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/872-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1112-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-250-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1216-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1316-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1404-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1960-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2448-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-219-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3320-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-236-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3552-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-21-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3872-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4424-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4516-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4552-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4552-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5044-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads