06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Size

80KB
MD5

107c5f26335031881ee71eab49cf2d99
SHA1

c9ed417ab948616fc332ff9cfc206b348a4f7777
SHA256

06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6
SHA512

647b7f59bccda8a7f93253a528a6de6ce70f02ea89431929052aad2e2699df7e23b1ffe662fd2fcf9ed2ce9e44c8580b14794bd6e0a5e77ba38a39d39fa5bed1
SSDEEP

1536:akTng4MAOji/dD4kxRHgIxbba2LlaIZTJ+7LhkiB0:akTnRMA4wCkxRAWPnlaMU7ui

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe

Executes dropped EXE 26 IoCs

pid	Process
1128	Cabfga32.exe
3636	Cdabcm32.exe
3440	Cjkjpgfi.exe
2284	Cmiflbel.exe
2448	Cdcoim32.exe
1296	Cjmgfgdf.exe
3436	Cagobalc.exe
1472	Cdfkolkf.exe
3508	Cnkplejl.exe
4212	Cajlhqjp.exe
1684	Cdhhdlid.exe
4736	Cjbpaf32.exe
3900	Calhnpgn.exe
900	Dhfajjoj.exe
2928	Dmcibama.exe
1356	Ddmaok32.exe
2860	Dfknkg32.exe
3144	Dobfld32.exe
5084	Delnin32.exe
3516	Dfnjafap.exe
2380	Dmgbnq32.exe
216	Deokon32.exe
2016	Dogogcpo.exe
1668	Deagdn32.exe
2352	Dgbdlf32.exe
4040	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cabfga32.exe	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2076	4040	WerFault.exe	113

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1128	2856	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe	86
PID 2856 wrote to memory of 1128	2856	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe	86
PID 2856 wrote to memory of 1128	2856	06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe	86
PID 1128 wrote to memory of 3636	1128	Cabfga32.exe	87
PID 1128 wrote to memory of 3636	1128	Cabfga32.exe	87
PID 1128 wrote to memory of 3636	1128	Cabfga32.exe	87
PID 3636 wrote to memory of 3440	3636	Cdabcm32.exe	88
PID 3636 wrote to memory of 3440	3636	Cdabcm32.exe	88
PID 3636 wrote to memory of 3440	3636	Cdabcm32.exe	88
PID 3440 wrote to memory of 2284	3440	Cjkjpgfi.exe	89
PID 3440 wrote to memory of 2284	3440	Cjkjpgfi.exe	89
PID 3440 wrote to memory of 2284	3440	Cjkjpgfi.exe	89
PID 2284 wrote to memory of 2448	2284	Cmiflbel.exe	90
PID 2284 wrote to memory of 2448	2284	Cmiflbel.exe	90
PID 2284 wrote to memory of 2448	2284	Cmiflbel.exe	90
PID 2448 wrote to memory of 1296	2448	Cdcoim32.exe	91
PID 2448 wrote to memory of 1296	2448	Cdcoim32.exe	91
PID 2448 wrote to memory of 1296	2448	Cdcoim32.exe	91
PID 1296 wrote to memory of 3436	1296	Cjmgfgdf.exe	93
PID 1296 wrote to memory of 3436	1296	Cjmgfgdf.exe	93
PID 1296 wrote to memory of 3436	1296	Cjmgfgdf.exe	93
PID 3436 wrote to memory of 1472	3436	Cagobalc.exe	94
PID 3436 wrote to memory of 1472	3436	Cagobalc.exe	94
PID 3436 wrote to memory of 1472	3436	Cagobalc.exe	94
PID 1472 wrote to memory of 3508	1472	Cdfkolkf.exe	95
PID 1472 wrote to memory of 3508	1472	Cdfkolkf.exe	95
PID 1472 wrote to memory of 3508	1472	Cdfkolkf.exe	95
PID 3508 wrote to memory of 4212	3508	Cnkplejl.exe	97
PID 3508 wrote to memory of 4212	3508	Cnkplejl.exe	97
PID 3508 wrote to memory of 4212	3508	Cnkplejl.exe	97
PID 4212 wrote to memory of 1684	4212	Cajlhqjp.exe	98
PID 4212 wrote to memory of 1684	4212	Cajlhqjp.exe	98
PID 4212 wrote to memory of 1684	4212	Cajlhqjp.exe	98
PID 1684 wrote to memory of 4736	1684	Cdhhdlid.exe	99
PID 1684 wrote to memory of 4736	1684	Cdhhdlid.exe	99
PID 1684 wrote to memory of 4736	1684	Cdhhdlid.exe	99
PID 4736 wrote to memory of 3900	4736	Cjbpaf32.exe	100
PID 4736 wrote to memory of 3900	4736	Cjbpaf32.exe	100
PID 4736 wrote to memory of 3900	4736	Cjbpaf32.exe	100
PID 3900 wrote to memory of 900	3900	Calhnpgn.exe	101
PID 3900 wrote to memory of 900	3900	Calhnpgn.exe	101
PID 3900 wrote to memory of 900	3900	Calhnpgn.exe	101
PID 900 wrote to memory of 2928	900	Dhfajjoj.exe	102
PID 900 wrote to memory of 2928	900	Dhfajjoj.exe	102
PID 900 wrote to memory of 2928	900	Dhfajjoj.exe	102
PID 2928 wrote to memory of 1356	2928	Dmcibama.exe	103
PID 2928 wrote to memory of 1356	2928	Dmcibama.exe	103
PID 2928 wrote to memory of 1356	2928	Dmcibama.exe	103
PID 1356 wrote to memory of 2860	1356	Ddmaok32.exe	104
PID 1356 wrote to memory of 2860	1356	Ddmaok32.exe	104
PID 1356 wrote to memory of 2860	1356	Ddmaok32.exe	104
PID 2860 wrote to memory of 3144	2860	Dfknkg32.exe	105
PID 2860 wrote to memory of 3144	2860	Dfknkg32.exe	105
PID 2860 wrote to memory of 3144	2860	Dfknkg32.exe	105
PID 3144 wrote to memory of 5084	3144	Dobfld32.exe	106
PID 3144 wrote to memory of 5084	3144	Dobfld32.exe	106
PID 3144 wrote to memory of 5084	3144	Dobfld32.exe	106
PID 5084 wrote to memory of 3516	5084	Delnin32.exe	107
PID 5084 wrote to memory of 3516	5084	Delnin32.exe	107
PID 5084 wrote to memory of 3516	5084	Delnin32.exe	107
PID 3516 wrote to memory of 2380	3516	Dfnjafap.exe	108
PID 3516 wrote to memory of 2380	3516	Dfnjafap.exe	108
PID 3516 wrote to memory of 2380	3516	Dfnjafap.exe	108
PID 2380 wrote to memory of 216	2380	Dmgbnq32.exe	109

C:\Users\Admin\AppData\Local\Temp\06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe
"C:\Users\Admin\AppData\Local\Temp\06a0b282d9c04ef59214efd6504e074db66d7c3e415bbf6a08a997c45c5ddaf6.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\Cabfga32.exe
  C:\Windows\system32\Cabfga32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\Cdabcm32.exe
    C:\Windows\system32\Cdabcm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3636
  - - C:\Windows\SysWOW64\Cjkjpgfi.exe
      C:\Windows\system32\Cjkjpgfi.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3440
    - - C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
      - C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:216
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2016
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 404
        28⤵
        Program crash
        
        PID:2076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4040 -ip 4040
1⤵
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Cabfga32.exe

Filesize
80KB

MD5
3e248110c2c1a4b3ab1bc1b843cd64ac

SHA1
26edab880cfee3e9a1640c561e65314881f7e59d

SHA256
915394b9658f9da2639f417c73cc0cf4dcb2d3f94fa8db025af97cbe9893c8c3

SHA512
bf71085a10294b7981181b5923d0db1b7559a329ac8bfcfc1a91d6305c6ccf37cd440039037f2612af2a7cab5ec099e5faefa7123f3700c58dccd893b7b5c939

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
80KB

MD5
1ef2cc7dca5f3db8d46c23417a7571cc

SHA1
f1d5b18a0920a6d0d55c292eda734256859c3ac2

SHA256
3006e25e4d76021cd91b4b0e867bae1497084217aa7c1fee4cab0be0ee2b425a

SHA512
36919320549f137961f44f6391a8be5096220ca142910cdab9a7fb32110f623f6103ba1fb3c9092dc4adb7eeac8f28f2d427b5ff0eae89e02a90158535e7727c

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
80KB

MD5
b9818ddb41aac497e14f90f73f665c7e

SHA1
b14ec0b33303f6858fe92cc1d9775c77f4376633

SHA256
434389a61519ff3e989fdbecd2fbf1d1249ccb42a4445167fd998ccd5f76b193

SHA512
12e3dea3d81978ae2688a72b159ce86820779f8608e6e65ab5b858529807f46dc98764742b56f2faebe106b473820a965bc7101779a385bda2eea6dc24cd5f70

Download Submit
C:\Windows\SysWOW64\Calhnpgn.exe

Filesize
80KB

MD5
be506457135a9632696f5a46efe99821

SHA1
f4983fbec9663b9fed18be6ccfb918b8d3b12294

SHA256
f9664801bb30222f1df8aad5d3c731ff310fb141435bdebdd9e2565f7d764528

SHA512
b0500a3b1201540058ab54666925dacf4b5576b2881c8c366aae56afa7593a14e008edb536b61ff59adaccc1f20e2142398eead67a261bfda28eac9a02bd3f10

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
80KB

MD5
be86e5fbaac1b64238e595b4669f5cd8

SHA1
ec32c71ea0bb9c99502fc04152953e80b8656011

SHA256
f73d5ee3003f8461a2a1f314daddbb788c4fe3f431f6c20191cafc3e413afeeb

SHA512
ebb4ec32c640763d8469423bfb4908a806a86612bf9191731b672fb2de609a13ce9250129f5446de7777335d403ee342547a2569658bba808d7673bfb445d89f

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
80KB

MD5
69d7997c3f8858ba17d56b2ba5f752c8

SHA1
7ad54f7a624adc838e1a4c6348be90550f7bda90

SHA256
968b80a4b0934c703334ebdfd955f84dc12311cfe9397454218931c2fa21ce6b

SHA512
85e0385b3fea45ea50e7d10cd1165d6bda1737384ad9928521872bd19c323b846c7f845b8a85b58b650763467347162bc687e031f0ed2faacef1b031ddf19ab1

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
80KB

MD5
0e7bc243a745e1b606c6297aa2028245

SHA1
db50556dfc7ff911c5c58557341b443c07b5062d

SHA256
80b590756f734dbbd42efe3f935a7c5ac62f2455a74c0adcc3e551ac2ea3a10d

SHA512
2519adb057962abcb0a7f56cbf1008aa96d9800e44408ac14019a072427a7b662b3289a7f45ce0632f10fb22aef5982e0ca2852bde1a11f29e8fa192f28a3606

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
80KB

MD5
63d0db3771e57c1231a42014a3f6ddf0

SHA1
455022f2b4686e2e945fb9e0c363bfcf02d9cb0e

SHA256
d0d575062142fe8005dfb4c32c3d02bf29791b13c55e4ab8b385390b696f504e

SHA512
4ebf6554489ec1243840bf73109f447bd792f9e992b08b8271d61e4362e891d11971cc93bf32bcbe42b6b6b2f26eeb000ca6e90f0ff0b0d815ebec74c8271abb

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
80KB

MD5
db273bc577aa56c426b59c3cd522573a

SHA1
de9c4220b7743074e6a002ff12c293feca8e4cd2

SHA256
ff22514fad64e0f2a2bbdf5089b7120c76cc514f7afedc99c52b4de63e0300a2

SHA512
8e9c717e466f81381af80117cceaa7696a57984a191f3f8323d840a8b90a81cd7505fede72c73630b104fa57628060529a09ec57d258e681af5da37327512d85

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
80KB

MD5
725c4e096cb82ce3fdce9895d14db57e

SHA1
74ded3bd0f29df3000b7a44b15b015e7a5d2f983

SHA256
9c4c0583f9cf85a4ae40ae4d168f7af7454e7edc91b06262e79f0a4b781abf93

SHA512
a3cf0313bf45d1eb8c5f8474e031983b4b7ffbcd681a1e2d119c165e2a8d5ad980e07a2f9cd6f9243c0a2be58c50921e9890fc1d6c9953b01325e6e49d530e20

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
80KB

MD5
2583f5f7aa61941fcf3bb9ac55ddfd1e

SHA1
5061568c9a4ad27204445abf8cec5d24f859386b

SHA256
4848fbdd1d87870219d07701d36dba2ea4ee520482fff721e6918adcb6bb31bf

SHA512
06acbe0e5cedb102d5948b27360b85f9ed256ed4ad04662d5bd988add3ce2572d04353da69847754924096b59399d48d9ffc8aba00d905d058cdb70adb820dd5

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
80KB

MD5
94cf0efae3b241fbd73243c32e1ec027

SHA1
81aca3012c6641a2e43431ce438d41e54306cbdd

SHA256
a848b16861409d2cc1fe59c3819f3b3795a949ee9f4df80f743db305bab3309b

SHA512
ebc60e4725069d7a757e59ff9de8ea3a867773dc925837d6114f630131379b72808e2c38d942a2bc447460a080c8dad36f59f7f3d3a9f900553d19fe28253824

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
80KB

MD5
a6f80c6c49e12a762eaec4b281aa98e9

SHA1
35070d6003d0a04681dc11411018ff77bbe40104

SHA256
0b022bbe71295ddaeeb89d72dd060812693a5b7a82681e042de790182578506c

SHA512
3e1d353bbc29e407432e1c0fc4f86dca69649b8302b1dcf77e23898133adc7c18c58e70530ccf0e6b9760161c37f9125133c6bfc837832f423e8e8b7e447fb04

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
80KB

MD5
3d6321d0f987af7805eeddc146d0d89c

SHA1
aff8abf5700aa4be8d67abd2d00984eed342c645

SHA256
4579cca2213ac7067c464c601bb417faef5dcebfa98f05bcc6ce16aff5e60529

SHA512
4f834e6589c73b8f48e8922ed6d1dd32ebe21942fc5ae50f3d415fd5d6c3af474d82b584bd99bdc9f444ef5abec3da9238430d766a390c31a2ff4ae0ad7c0333

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
80KB

MD5
35edb793d89824d8cee44484b14a7e87

SHA1
99c044ab5a86e08ed0ee7253c39dd08fdf979d66

SHA256
7c1ed3e1365d5311760a6103e28ca83faa2f6772c5cd4286eecfd00b93453686

SHA512
960c735e5c35c859bb90a796c64844fc0f0ec14db3c68cdca287fd1590a64f33bdca26e15483eea926d27135aebf39e086c31f6466f4aa752416dfd5cd875472

Download Submit
C:\Windows\SysWOW64\Delnin32.exe

Filesize
80KB

MD5
02e28002ac7a8210496bcb7b22299307

SHA1
c85ecdd3127f32a3ba1abb64cdaa8b535fe29f5e

SHA256
957b167be486c00c7ca84533b0454994ab148e3c85ca993532089b4436b2f5fb

SHA512
0ffd6b1b5cb02be7bdd385e93c6eb7ae490abbb2370eb8113aace5e0876ea0ff4adda1c1658e9b033688a0ff82e102065c1480087386f8228ed0cc69a8e47471

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
80KB

MD5
5ec6b26d04df43fe9ae2c348b865abd4

SHA1
70a7b7942f44d010d0157bf29d5c402e69385cf9

SHA256
1a771a7f6f2f20c807ea0d78d40fe90983dc1bf85d18340aea6b254004d25aa4

SHA512
998fdefb50d61d2d2abff8e38903e4de0d5a00dd1fcace78b45b099c0cd0050020d0ee5a0b6ddf5d419ef21846235a76075297ef5dc07a1f25335b16176039fd

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
80KB

MD5
91c2da53d1b8049e8530445a288b365e

SHA1
c25d6b47a15a8ad346d81659e2770e074d2b159b

SHA256
5b304dbef791138299e3975d91b0c92d2cd6e6126aff23e18dd8e768b28c8c75

SHA512
ffb883bfc005e86e8cb6fdac28718f2f0338d67c3fa9ff44400b12e1ec180b7fcb563303f978a5d064786ad46014d1927f9653a6c8143a379cfdc778534fa312

Download Submit
C:\Windows\SysWOW64\Dfnjafap.exe

Filesize
80KB

MD5
1ddff4800eb43ccb5297983490577057

SHA1
129f8a3698708f1756dbb1bae6273af0174a500c

SHA256
c723a55b208269aeef2a0363128c847550883737410dd6b53b96dd7fca001ac1

SHA512
d90547b317081d5a1f624eb6fd59679a62ce969d69bb776d6fd698d898f5bacd0385c956613627c37aae5f69e35ff4ca1b7d7d945ba1d0fe69ecbdce24af8b95

Download Submit
C:\Windows\SysWOW64\Dgbdlf32.exe

Filesize
80KB

MD5
9be0814fb3be5406baaddf91054dcb0b

SHA1
6cd3e8f11136a323b854788c8143399fb7b3fcd9

SHA256
3368b4c904eb4ed23694b6ead08da43aa9a61833a93e4775e1191942514c61eb

SHA512
adb2e96cf78a4d52b4a0659114b5e1757953638bf2197d3e281d6058a23d4b0eff01645e5358819e02e8b47cbbe5f08dfaddf3c7e0de37e388e728115996c813

Download Submit
C:\Windows\SysWOW64\Dhfajjoj.exe

Filesize
80KB

MD5
f32e8c01fba28270cb38e692ed14ff79

SHA1
85aaa8230284b9dc08c9aa0e9a6fe37547c0e88e

SHA256
2047532a389497ae45e0eba2b5dbb556a5131ac4db403f1e350ad3f2e8d36531

SHA512
b345d1a5f358f588153d18b488b6921776a96d908a88590818185749e66968014ff88b5f697171659b5a573c54d819a52b18e7457fbbec84e0aeb706590bf159

Download Submit
C:\Windows\SysWOW64\Dmcibama.exe

Filesize
80KB

MD5
e1fabe38cc11ff451e90bbfa768ab415

SHA1
083015675aedace9a5a9a6a1c6804fce8f251672

SHA256
1e178e66957b80487cda908ddf91dc80cbe1154fe8c33002ff7a63b5e7987301

SHA512
8a6d7c0188b934837248ef7fd4f2717978ecc11d2b7a81b30d1b411fe765a20ad2201d71fd1a0a9689040daaedce102e2ea75d18fc400b22724fe2dbda0e012c

Download Submit
C:\Windows\SysWOW64\Dmgbnq32.exe

Filesize
80KB

MD5
31e35c69ce5075c59170455d1a148923

SHA1
2844cff36c77b73d9bee7a4ae23cb53bfd1bd332

SHA256
0b4c8a9a125c39262ac2bac8afb174c2c3f5f20723707889ed7e35fc7d1fcb2b

SHA512
584ef7b3bc777c94ce148e2fe6c35e578664e75b4d3ab029be5c671badf01243c890c0b6b7a9f67921dd2e743751f3edc558b879c8f6ca1a101c8a3bf21b69f8

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
80KB

MD5
197868aae4ed3f4f24e8245c184d5efd

SHA1
45582bb592f4350e26c43211fcfaa3afa6282c69

SHA256
7295282e874ea715c3f336bb380e363f732cf07b638bf596d6c1bd08c854dc1c

SHA512
55dc197a7dd4990212e30633cf8ae08a95556890c15946edd0921f8dcde224ad9a6604b2a4b1068039a06b66bfe8057d20f39506f2f9a91b747e79778c92ef9f

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
80KB

MD5
9689cf430af1c04b637d657094f6f6d1

SHA1
691be849852e4c2445b2b3771c6969f649dd483a

SHA256
f5b03bae5a9ec32870b79d9fbf6fac86b5c4f5bfb3331e7875f2cc46a3980ee0

SHA512
b31f98f65af27f399d03b396e7db37dcebd6bb1b71258983a227b0d98b3a42bc567f5cb2a30ac60393c25c13faa7be41597a47141e2a2f786d71990df15088d7

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
80KB

MD5
c534a037d812b3779c21d6bb0bcfae9c

SHA1
e4c45d627e1b5cc2d1ec2db97d71d7b986cf83a4

SHA256
689dd6a8c5ec17f8b04f52ffefa1903390491454c1590a0166a22a7dc6189836

SHA512
1a3607e5aad4492682d15b4118c73fe89c9e821204651d0c9d149e52c16c6286643af3e883df566cb02985a4d6263fa97f1d3efd247115fc5e226e54cf1d5cb2

Download Submit
memory/216-232-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/216-189-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-117-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/900-206-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-89-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1128-8-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1296-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1296-134-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1356-224-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-64-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1472-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1684-179-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-199-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2016-231-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-32-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2284-116-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-229-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2380-233-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2380-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-125-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2448-40-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2856-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2856-72-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-227-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2860-144-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-126-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2928-216-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-236-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3144-153-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3436-143-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3440-107-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3440-24-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3508-161-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-234-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3516-172-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-17-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3636-98-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-197-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3900-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-225-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4040-228-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4212-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4212-171-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-188-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4736-99-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5084-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads