5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c

Analysis

max time kernel
95s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Size

77KB
MD5

3589b2980b074ce0f6d9085574c458ca
SHA1

23fb9ab259234966d63686b399c3d24aed1db56c
SHA256

5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c
SHA512

88041d2bc0b826b85c92c9f38e7ebbcaea501fa985b55ae04101d9505faff88b78aa3260d2b12729c8d15bf8ca0514b3833298b8bb235a02a969874151a8127b
SSDEEP

1536:IYFnJ8BZaO95vX3qLIQpTII2LtIwfi+TjRC/:bP8BAO95vn+pTIZawf1TjY

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 54 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe

Executes dropped EXE 27 IoCs

pid	Process
1612	Chmndlge.exe
2444	Cnffqf32.exe
2748	Ceqnmpfo.exe
5036	Cjmgfgdf.exe
4508	Cmlcbbcj.exe
3576	Cdfkolkf.exe
2260	Cjpckf32.exe
4484	Cmnpgb32.exe
1512	Cdhhdlid.exe
4600	Cjbpaf32.exe
5040	Cnnlaehj.exe
5024	Calhnpgn.exe
3600	Djdmffnn.exe
3332	Dmcibama.exe
2760	Dhhnpjmh.exe
4524	Dobfld32.exe
2728	Daqbip32.exe
4192	Dhkjej32.exe
3464	Dkifae32.exe
1852	Dmgbnq32.exe
4048	Deokon32.exe
3960	Dkkcge32.exe
1792	Dmjocp32.exe
5008	Deagdn32.exe
4944	Dhocqigp.exe
4000	Dknpmdfc.exe
3908	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3568	3908	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Deokon32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1612	1600	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe	83
PID 1600 wrote to memory of 1612	1600	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe	83
PID 1600 wrote to memory of 1612	1600	5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe	83
PID 1612 wrote to memory of 2444	1612	Chmndlge.exe	84
PID 1612 wrote to memory of 2444	1612	Chmndlge.exe	84
PID 1612 wrote to memory of 2444	1612	Chmndlge.exe	84
PID 2444 wrote to memory of 2748	2444	Cnffqf32.exe	86
PID 2444 wrote to memory of 2748	2444	Cnffqf32.exe	86
PID 2444 wrote to memory of 2748	2444	Cnffqf32.exe	86
PID 2748 wrote to memory of 5036	2748	Ceqnmpfo.exe	87
PID 2748 wrote to memory of 5036	2748	Ceqnmpfo.exe	87
PID 2748 wrote to memory of 5036	2748	Ceqnmpfo.exe	87
PID 5036 wrote to memory of 4508	5036	Cjmgfgdf.exe	88
PID 5036 wrote to memory of 4508	5036	Cjmgfgdf.exe	88
PID 5036 wrote to memory of 4508	5036	Cjmgfgdf.exe	88
PID 4508 wrote to memory of 3576	4508	Cmlcbbcj.exe	89
PID 4508 wrote to memory of 3576	4508	Cmlcbbcj.exe	89
PID 4508 wrote to memory of 3576	4508	Cmlcbbcj.exe	89
PID 3576 wrote to memory of 2260	3576	Cdfkolkf.exe	90
PID 3576 wrote to memory of 2260	3576	Cdfkolkf.exe	90
PID 3576 wrote to memory of 2260	3576	Cdfkolkf.exe	90
PID 2260 wrote to memory of 4484	2260	Cjpckf32.exe	91
PID 2260 wrote to memory of 4484	2260	Cjpckf32.exe	91
PID 2260 wrote to memory of 4484	2260	Cjpckf32.exe	91
PID 4484 wrote to memory of 1512	4484	Cmnpgb32.exe	93
PID 4484 wrote to memory of 1512	4484	Cmnpgb32.exe	93
PID 4484 wrote to memory of 1512	4484	Cmnpgb32.exe	93
PID 1512 wrote to memory of 4600	1512	Cdhhdlid.exe	94
PID 1512 wrote to memory of 4600	1512	Cdhhdlid.exe	94
PID 1512 wrote to memory of 4600	1512	Cdhhdlid.exe	94
PID 4600 wrote to memory of 5040	4600	Cjbpaf32.exe	95
PID 4600 wrote to memory of 5040	4600	Cjbpaf32.exe	95
PID 4600 wrote to memory of 5040	4600	Cjbpaf32.exe	95
PID 5040 wrote to memory of 5024	5040	Cnnlaehj.exe	96
PID 5040 wrote to memory of 5024	5040	Cnnlaehj.exe	96
PID 5040 wrote to memory of 5024	5040	Cnnlaehj.exe	96
PID 5024 wrote to memory of 3600	5024	Calhnpgn.exe	97
PID 5024 wrote to memory of 3600	5024	Calhnpgn.exe	97
PID 5024 wrote to memory of 3600	5024	Calhnpgn.exe	97
PID 3600 wrote to memory of 3332	3600	Djdmffnn.exe	98
PID 3600 wrote to memory of 3332	3600	Djdmffnn.exe	98
PID 3600 wrote to memory of 3332	3600	Djdmffnn.exe	98
PID 3332 wrote to memory of 2760	3332	Dmcibama.exe	100
PID 3332 wrote to memory of 2760	3332	Dmcibama.exe	100
PID 3332 wrote to memory of 2760	3332	Dmcibama.exe	100
PID 2760 wrote to memory of 4524	2760	Dhhnpjmh.exe	101
PID 2760 wrote to memory of 4524	2760	Dhhnpjmh.exe	101
PID 2760 wrote to memory of 4524	2760	Dhhnpjmh.exe	101
PID 4524 wrote to memory of 2728	4524	Dobfld32.exe	102
PID 4524 wrote to memory of 2728	4524	Dobfld32.exe	102
PID 4524 wrote to memory of 2728	4524	Dobfld32.exe	102
PID 2728 wrote to memory of 4192	2728	Daqbip32.exe	103
PID 2728 wrote to memory of 4192	2728	Daqbip32.exe	103
PID 2728 wrote to memory of 4192	2728	Daqbip32.exe	103
PID 4192 wrote to memory of 3464	4192	Dhkjej32.exe	104
PID 4192 wrote to memory of 3464	4192	Dhkjej32.exe	104
PID 4192 wrote to memory of 3464	4192	Dhkjej32.exe	104
PID 3464 wrote to memory of 1852	3464	Dkifae32.exe	105
PID 3464 wrote to memory of 1852	3464	Dkifae32.exe	105
PID 3464 wrote to memory of 1852	3464	Dkifae32.exe	105
PID 1852 wrote to memory of 4048	1852	Dmgbnq32.exe	106
PID 1852 wrote to memory of 4048	1852	Dmgbnq32.exe	106
PID 1852 wrote to memory of 4048	1852	Dmgbnq32.exe	106
PID 4048 wrote to memory of 3960	4048	Deokon32.exe	107

C:\Users\Admin\AppData\Local\Temp\5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe
"C:\Users\Admin\AppData\Local\Temp\5a15b3d81b99f3208616c0b7ccd2e62113586c044c69aa4ab665ff45d3587a5c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\Chmndlge.exe
  C:\Windows\system32\Chmndlge.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\Cnffqf32.exe
    C:\Windows\system32\Cnffqf32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Windows\SysWOW64\Ceqnmpfo.exe
      C:\Windows\system32\Ceqnmpfo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5036
      - C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5040
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1792
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3908
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 404
        29⤵
        Program crash
        
        PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3908 -ip 3908
1⤵
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
77KB

MD5
f476f6c31b3a8b77994e19790bf763c8

SHA1
f17d8e6aa5fc407b013ab01a46d50b01ad3dff81

SHA256
370dea625baa9e20faf3c39a46650dca26f18556fc1c2eaf92319ae59deb1860

SHA512
3adf27adb0832e241c57ea272a95fed8842a3c430a62956c6be2eaec77b95faabb882c22abe2aa5c1b94b92ba19c5d592cf9ca0f2f26502b10f46d12644403b6

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
77KB

MD5
6bf84391d565375d15165c0a6b8899c9

SHA1
0ce8eddc270e666ce268525529dbb71ad1e9b4a3

SHA256
192f493aad5d2c158c4ec3918da7f1eecc7089a42b62e11a864d0c9fd16ca729

SHA512
53576bcd7310966d5648780597b19aee6deecca244343af641cb4140d13ad42fd00bb52eed9776bf5420b0bc3ecf65f12f9d9ceb5c310758c407409560dcda21

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
77KB

MD5
ef1abd258632afc72ce09ef7062efed9

SHA1
4b261f99ff8109e48c3b9d7204d01af8e0482563

SHA256
210ac731dddc88839db40a1e02674bff44ab47d6c3ef2f981bf5e084f0ba3ea2

SHA512
c81bca37d740d73faf30d5b74935dfe6f84c21ee7c1a3233d8644dfd9aa051dd8495f148167a907455b98317f0540b8490f42ec59c96a20fd37c408ca20647cb

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
77KB

MD5
aa3ba8d22947badd23e6265cb681a4b7

SHA1
f21de138cf8c437f4d87305570cc5070f9ef2368

SHA256
16d68232d0b4fb81700ee238c9a7e2c49e22e50d4e72d14657eebb5b492bc5ae

SHA512
5e01c469062acd8c1bc3c781f70a1c97a115a89340016d74b86f7b0b9008ed14c3cdfdfbd009f8e6358a11b5f195743ef43435f157be34d62b31bd9c7642a7e0

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
77KB

MD5
efa81c207c757e3b1148145a3ed1d25f

SHA1
7632e6328a6bc07dcc70bdd4b3fc30afb15e8ccd

SHA256
fc3ecb61913042897c07d147e9924fb770bc69401c6120900b09402af0a1799b

SHA512
e36fb8af4be9a3fabbc72ca7d0049a395aa3cd8456d1cad75a712a83e5f0d3a764d09d9d486e7ab2e6b8bf26365eca8e0237e7238c39de52947b5ba363a9cdee

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
77KB

MD5
cb60860caf2fd6f36ff61dc9a79f88d7

SHA1
fda5347d40f4b16cacde26b94141308a0659a8b6

SHA256
2cad0f809e36665365d1f5feebd0874914a89408d841931f9174c01e446eb129

SHA512
da523cf981f301b85ceacccd7b553e9d5f0947944758b9728cc9686a31b9523648bcf7456dce03cf681801d87727ed1b1c8f72535c8bfd6cf0b0e5950667cbcf

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
77KB

MD5
58198cf383c724e5064b6ef0374beed1

SHA1
747c8bcea3617e4c8d3c7c8fac8343e59641246d

SHA256
b1475f2011e4fd3097068b19781d23f0e1e3c9a5b1bb5ecf9c8934d44b4362e3

SHA512
7a498d31bc7b4e7c19e59d3776ec1d3a9445672489b525c747d87b26fa578f5b7fa7bdc76c1590bd9014c3d4dd4f31577535e92e370ee6ae4c94639b4422c4c1

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
77KB

MD5
0f72f97dac8248b9bdad73ae7e269ebb

SHA1
420895ca0128923488e63a7c8938cf9a797de68d

SHA256
381492d8cf47a3d995d522b96eb96806ae10ce14142ea73ac20e41fd585f7527

SHA512
bb4af683c05d9bbbb80182ece0e858b3fb2d970847cbf411c7bed64da70b4eb09bc49bc3ce35e6350e99e2684a6088c73712adffca322d8d730015f67b94442e

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
77KB

MD5
f967f326714a7f1278619799a54537eb

SHA1
c6f7f52a2126d605a429662309657943fef8deea

SHA256
fcc7e6a02f5442479b9fbcd414dae02ae3df48ab7251a807aa6cf0440e2964be

SHA512
2304ffeab3f647c6a00ab5df5dff45625415daabb30fe84e896560719ef5eec698f472e16b340b5c80ea8d2c92e3307b8cad7e619db391c3a4e824002279e6dc

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
77KB

MD5
c023c7dd80bdaee94d3b6184e9fb319e

SHA1
fb92b8adc89d6df2da08c28e0b2e51a26a78c7ee

SHA256
e05471d0bca5b2d82475b0c7f6e45968c540f1be2c4d37ce602f64797ce30609

SHA512
d68225fa2868972caf722dbed2fca4f39a441529d5b74f4f1379cba7f0b4bb178090f050a2fecdca85053b494c92a71e1175150ee2119803cac8c638e4389c9e

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
77KB

MD5
60f49e52bb95a04572076039acf48264

SHA1
f7c87c9b03aa8dad313a12323c9a0cf0c83174a4

SHA256
129f3bf702ede888b5ebcccf75c060c840560549eb79860ee1db77567fea9d26

SHA512
49cb629674230bee4f68c8ff8d1263b2abdebad3d96b421b54962acb48fefed939a0968fe7e63b2b7ec6cdb09b0c63f03a4afba7cbbf9e714352f01940075568

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
77KB

MD5
a88d048af45d53728c78f9af55532469

SHA1
0934ec31145c97e9229ebaa315bdd2d5b9b7262b

SHA256
066d781f09a7fedb343c013fb1199adfbd70252598b417828d8c03cd878692e4

SHA512
04b83d2d7e759047b21514032642047683bfadb46b7fc5fcc0a75cd1c9583b7b84dddb559cafebeb1f4feb5528b914aabbcb460b3b353a54dbc01f4b682dfdbe

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
77KB

MD5
7d6106676a962633fbd17e6ea815bb2a

SHA1
badcde3eb508f23ad6502e8243bfe394df776c09

SHA256
f80e69eeed0997888d67324a0069a8488c25b3e72b998a5df9c5e0cae4a9abe2

SHA512
1db335b0e090d8e8eb5e9a371e8de4f859683032e84e49f6368b67647435eb7aef4d94abef472efec09e47f05c9138504a504ff48076ca4e08a89529ef79fcf5

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
77KB

MD5
6346941bf94ec8382a5f48e083f1d198

SHA1
ed5b2661b42c1da94fac7be7eaa0057cb8955799

SHA256
927c3b4925d126453182f37d100b6376e7c655964d419e41c9173fe969938c78

SHA512
7d6aae11c4708e249994fb28260d0b73c2000d2da5dac65dab08ce21e8448a2b2d5e0cd22b24b9217d98fbdaffb371919eed4fa1b085a24205c29131f5a39ac0

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
77KB

MD5
3a24721c40d267c17913b89bfc50121c

SHA1
a43a4d7cff56ee9d62f637a83e75615298891f12

SHA256
cb4ccd57a7b1a380b88da17a10437b9104daf1b3cdcc085d5944ac104429a606

SHA512
80dd702fe0cb0eb7e497429bbdb208244da6c72e61550dfb28aacb0916d82fc64842e575c24a4d6278b0ebbbed90620110650773b485390c87988ea68c5aa6e5

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
77KB

MD5
8377b4267326c682f0039fe9e0c50d49

SHA1
09ecbe19fdf5418c6c2a1f8d85e7412c80d81619

SHA256
d3c22f78016f695c5e71ddc37c0b1dce172490238316ff1d8f1f126cb363591d

SHA512
46f1323fcc8f84e0ed6254b2be48fb58d848ca8567fa886fae13e1c6a09f261e2d584aa3e258860efb814033bb7956412f1c786a27af2306bc555b58e03fdc48

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
77KB

MD5
d9362a1b31089db55d60343853a7712f

SHA1
529eebc6d16632cad2c5395ae94717cf9b2d112d

SHA256
ced55b9071e67553013d863d445ff4532520928056c1753fe844cbdaedc07abe

SHA512
d6a3c5081923593b8306811b405b869fcc5630b32bb53954374ced4b7b8cc69d8ded2419f9bab4af59caad2d46f3f515c42124e0544db1b7f053c634d75a5938

Download Submit
C:\Windows\SysWOW64\Dhocqigp.exe

Filesize
77KB

MD5
b1e2d8df6b35e948132f731f31ea788e

SHA1
fded242ef2d5f5ad848803135f08501f593a48be

SHA256
7ac7d1c31c5e6a2c60113b9278826e1de724d4d2b7cc10d8f5be83f4adec567b

SHA512
d726d4dc77f3498785ebf2dbf0dce39b6c3e80c5551d14361cdfdc59a48727e95b3c1d965ce80ab9ad406e803b211a7b3e31e224bc49babb647ee1c74cc64a61

Download Submit
C:\Windows\SysWOW64\Djdmffnn.exe

Filesize
77KB

MD5
a692e99caf0788fd6934ec418a4ec856

SHA1
1327e5a942982f64c4d4f55c3072cb97e13968bd

SHA256
fbb0faa90c1124a20165838e18d8e7968cc195554990cef0cb969c57e62203f6

SHA512
d4b16f56b32855d9b90f507f2a3911aad30fb34df631018f65944e5b5bf07292e1962618fb521520bc8fc48a386c491826c1f61ea2dabdb306d9efe1d159011e

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
77KB

MD5
43775d79d594896a5b0d86222f6c51e6

SHA1
2584dfba2874f914434eeb0256c1430e8a578ac5

SHA256
fb467737d96b287079eeb9d5b4014441fe795966c5627b096317f7f3552831b7

SHA512
e15ce9baa8c4505495339ba33d6790927557036c5ef75d4da8f1e9a4968092937471972baeabb02224c43462672640db68fcc7c1490c115ceed160109bdfd10b

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
77KB

MD5
656005fb613414fab531f4d2a733da8c

SHA1
ecd540982f44c59eaca953a7d68f719b7b8fb19f

SHA256
35272127f25ee5e2728389d755984dcea1d3401243e61a2d9c65d9aa832c744f

SHA512
7deb36ec5c1b1575eb014dcebc84dea203b510e61929517e6b7a4ab9be3c377f536be8f79fecdecb0353451a408e044536ec3c0f6e017c0019214398bc605bba

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
77KB

MD5
0f19f73602fc5d4562c1659688edb6f8

SHA1
a9371a91d2383230b6d8dab01015fbff6b2d609d

SHA256
6bb6fce721eec89bbe07014b7d4ae9d45205c62987918fef7d805ef620f0cdae

SHA512
565229cc6dc5fb7461ebbb9978c4f5908ed7f5f6e3c37cd4dc96dcafdcc9bd3d2aa1cb4effaa514d5fdeb37b9e170e2433fd111157d29de579a20df02cc5e1b9

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
77KB

MD5
c97be91e87304252441c65c75b87233a

SHA1
a565950a671eaa43f6f968ec03e08f593e16a013

SHA256
8f8cff3152155a43bf81d9d5a5269a16c510f58830aeed1165f5b898411bc2ed

SHA512
bba9e2cf1c1401dc7ae7032883dd92c574552e1c408b2cb36e184a7058a4acec782b2a369836f1e353281348a8d86358e964b1a9205be2f79c0703a589974f50

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
77KB

MD5
4d99a63491ffd527587df45291980b82

SHA1
e1db6df2fc638fd439472b838e8a9291ec2cb475

SHA256
e0bedafe93868943a11afc36ba29ceb140d6487db3973899a42ea5cd0745b9a0

SHA512
d41c519c9cb120f92a231a1c833aeebdd884fc2583ceb3edf514c49126f98f5731bcb63eabb9b3c5a830cffe2771e9dec5ac6e98d4492ee465b8193fcf3c1e3c

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
77KB

MD5
b47d0ef601250a67c312e0e213390ce4

SHA1
8f240729eaaed0490a3f6772f183eba09c629f78

SHA256
f6ea51c9884747a4b5ac855b870f741f302a0dbedfd83d26babd93ff53b321ff

SHA512
17c2875c0f9f35865de713a6f87c3280f4857bd226b5e88ae8fbf72b3456388930a15f770a8adfc00e08ec0397d1856f44cceeae85b1c4a0345e72480b5fc175

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
77KB

MD5
6dbd08981ec0ee648d931ddce3126364

SHA1
696ed3f2a159e03c8b48b133aaab8174eef27356

SHA256
c24628af83fdc647429b050458058220706cd6ba8750e759578f08b97c4e0d34

SHA512
9cbcebbcb534d4137bf496f2bf891d7e5224bce9310a48c6a72c2b2808f3430465305befe5db344d2458c6e7db0851fb523fd358465a074cd4d7a991b471c4ed

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
77KB

MD5
b226017dd55f3f19df5ff33e0974407b

SHA1
349dcab71807eaf3ab7177b6d9c0de1cde85f466

SHA256
2c83371a5d25c872f241b0ef40600806a3ed27938413f9a0fb09fdde9dfef649

SHA512
0b923f7c38a30bc373fe3b04958b6f5d3fa27dea7e1e3761a6bd46a9ef1ace76fda06b205c34ecabf7200ad01708a9a933b606ec27efbabe4393daa298850e56

Download Submit
memory/1512-236-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1600-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1612-244-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1612-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1792-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-163-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1852-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2260-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-243-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2444-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2728-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-230-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2760-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3332-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3464-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3576-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-218-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4484-237-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4508-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5008-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-233-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5024-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5036-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-234-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5040-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads