ca45725d8f07f0cd335ddf1ed61f6e72535bf9dfc7d4f3386ffe9cba855b4856

Analysis

max time kernel
94s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 06:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca842832812da0f74073dd0a4f394f0N.exe
Size

76KB
MD5

6ca842832812da0f74073dd0a4f394f0
SHA1

cca8700d63b6894862ccf766b33d3824b07204b1
SHA256

ca45725d8f07f0cd335ddf1ed61f6e72535bf9dfc7d4f3386ffe9cba855b4856
SHA512

13ba106a0f1cd5e7e5f8d39be28075ee7e070853d78e9224cf7b455a3a175540efc7ccc2f85ab797c5c6f6f2cdc67656d46c1ef2b54e655e37bb465c26337df3
SSDEEP

1536:KDTARpHcK1eVYsv6rZYJrHHaH4l+8BvmJq4gHioQV+/eCeyvCQ:XP3Fo6yJrl+quc4gHrk+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bahdob32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnoddcef.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbemgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oabhfg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afpjel32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Coqncejg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogekbb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofkgcobj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chfegk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdpcal32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnjdpaki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Coegoe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocohmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aopemh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cammjakm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chfegk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmiikh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmnbfhal.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdhkcb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bddcenpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdmfllhn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Omdppiif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmblagmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qacameaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aonhghjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgcihgaj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjiipk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aoioli32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aonhghjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacckp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Opqofe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ahaceo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgkiaj32.exe

Executes dropped EXE 64 IoCs

pid	Process
4868	Ogekbb32.exe
2016	Ojdgnn32.exe
720	Opqofe32.exe
4560	Ofkgcobj.exe
4564	Omdppiif.exe
3476	Ocohmc32.exe
4580	Ofmdio32.exe
2308	Oabhfg32.exe
4336	Pfoann32.exe
3196	Pmiikh32.exe
4280	Ppgegd32.exe
3180	Pfandnla.exe
4232	Pnifekmd.exe
3436	Pdenmbkk.exe
3620	Pmnbfhal.exe
1380	Pdhkcb32.exe
3380	Pjbcplpe.exe
2452	Palklf32.exe
3224	Pfiddm32.exe
1204	Pmblagmf.exe
3956	Qhhpop32.exe
1580	Qpcecb32.exe
4156	Qjiipk32.exe
3060	Qacameaj.exe
2064	Qdaniq32.exe
2024	Afpjel32.exe
4052	Adcjop32.exe
1372	Aoioli32.exe
3552	Apjkcadp.exe
3600	Ahaceo32.exe
2404	Amnlme32.exe
4468	Apmhiq32.exe
4956	Aonhghjl.exe
4000	Amqhbe32.exe
2784	Apodoq32.exe
1284	Ahfmpnql.exe
4848	Aopemh32.exe
2000	Aaoaic32.exe
2692	Bdmmeo32.exe
1920	Bgkiaj32.exe
4916	Bmeandma.exe
3928	Bhkfkmmg.exe
920	Bgnffj32.exe
5044	Bmhocd32.exe
4304	Bacjdbch.exe
4020	Bhmbqm32.exe
1548	Bklomh32.exe
3056	Bddcenpi.exe
4832	Bhpofl32.exe
1708	Bahdob32.exe
3004	Bdfpkm32.exe
1568	Bgelgi32.exe
4532	Bnoddcef.exe
3304	Ckbemgcp.exe
408	Cammjakm.exe
2944	Chfegk32.exe
2320	Coqncejg.exe
1456	Cdmfllhn.exe
3780	Cglbhhga.exe
3288	Caageq32.exe
728	Cdpcal32.exe
1668	Coegoe32.exe
1584	Cacckp32.exe
3460	Chnlgjlb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pmnbfhal.exe	Pdenmbkk.exe
File created	C:\Windows\SysWOW64\Bhpofl32.exe	Bddcenpi.exe
File created	C:\Windows\SysWOW64\Opcefi32.dll	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Palklf32.exe	Pjbcplpe.exe
File created	C:\Windows\SysWOW64\Bmhocd32.exe	Bgnffj32.exe
File created	C:\Windows\SysWOW64\Cnjdpaki.exe	Chnlgjlb.exe
File opened for modification	C:\Windows\SysWOW64\Palklf32.exe	Pjbcplpe.exe
File opened for modification	C:\Windows\SysWOW64\Pfiddm32.exe	Palklf32.exe
File created	C:\Windows\SysWOW64\Qpcecb32.exe	Qhhpop32.exe
File created	C:\Windows\SysWOW64\Dhphmj32.exe	Cnjdpaki.exe
File created	C:\Windows\SysWOW64\Ppcbba32.dll	Pdhkcb32.exe
File opened for modification	C:\Windows\SysWOW64\Pmblagmf.exe	Pfiddm32.exe
File created	C:\Windows\SysWOW64\Bjlfmfbi.dll	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Glfdiedd.dll	Ddgibkpc.exe
File created	C:\Windows\SysWOW64\Mcdibc32.dll	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Aopemh32.exe	Ahfmpnql.exe
File opened for modification	C:\Windows\SysWOW64\Dgcihgaj.exe	Dhphmj32.exe
File opened for modification	C:\Windows\SysWOW64\Cnjdpaki.exe	Chnlgjlb.exe
File created	C:\Windows\SysWOW64\Nnahhegq.dll	Omdppiif.exe
File opened for modification	C:\Windows\SysWOW64\Ppgegd32.exe	Pmiikh32.exe
File created	C:\Windows\SysWOW64\Aoioli32.exe	Adcjop32.exe
File opened for modification	C:\Windows\SysWOW64\Bmeandma.exe	Bgkiaj32.exe
File created	C:\Windows\SysWOW64\Chfegk32.exe	Cammjakm.exe
File created	C:\Windows\SysWOW64\Hockka32.dll	Qjiipk32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbemgcp.exe	Bnoddcef.exe
File created	C:\Windows\SysWOW64\Kfcfimfi.dll	Pdenmbkk.exe
File opened for modification	C:\Windows\SysWOW64\Qdaniq32.exe	Qacameaj.exe
File opened for modification	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bmeandma.exe
File created	C:\Windows\SysWOW64\Mmihfl32.dll	Ckbemgcp.exe
File opened for modification	C:\Windows\SysWOW64\Ocohmc32.exe	Omdppiif.exe
File created	C:\Windows\SysWOW64\Ckbcpc32.dll	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Caageq32.exe	Cglbhhga.exe
File created	C:\Windows\SysWOW64\Flbfjl32.dll	6ca842832812da0f74073dd0a4f394f0N.exe
File created	C:\Windows\SysWOW64\Ojdgnn32.exe	Ogekbb32.exe
File created	C:\Windows\SysWOW64\Qdaniq32.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Ahaceo32.exe	Apjkcadp.exe
File created	C:\Windows\SysWOW64\Mioaanec.dll	Bdmmeo32.exe
File created	C:\Windows\SysWOW64\Chnlgjlb.exe	Cacckp32.exe
File created	C:\Windows\SysWOW64\Gelfeh32.dll	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Pfandnla.exe	Ppgegd32.exe
File created	C:\Windows\SysWOW64\Aonhghjl.exe	Apmhiq32.exe
File created	C:\Windows\SysWOW64\Qnbidcgp.dll	Bgkiaj32.exe
File opened for modification	C:\Windows\SysWOW64\Bklomh32.exe	Bhmbqm32.exe
File created	C:\Windows\SysWOW64\Qhhpop32.exe	Pmblagmf.exe
File opened for modification	C:\Windows\SysWOW64\Bdmmeo32.exe	Aaoaic32.exe
File created	C:\Windows\SysWOW64\Cglbhhga.exe	Cdmfllhn.exe
File created	C:\Windows\SysWOW64\Ekiapmnp.dll	Cacckp32.exe
File created	C:\Windows\SysWOW64\Dgcihgaj.exe	Dhphmj32.exe
File created	C:\Windows\SysWOW64\Qedegh32.dll	Ofkgcobj.exe
File created	C:\Windows\SysWOW64\Pjbcplpe.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Qjiipk32.exe	Qpcecb32.exe
File created	C:\Windows\SysWOW64\Gdlfcb32.dll	Ahfmpnql.exe
File created	C:\Windows\SysWOW64\Coqncejg.exe	Chfegk32.exe
File created	C:\Windows\SysWOW64\Lqppgj32.dll	Bmhocd32.exe
File opened for modification	C:\Windows\SysWOW64\Coegoe32.exe	Cdpcal32.exe
File created	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File opened for modification	C:\Windows\SysWOW64\Afpjel32.exe	Qdaniq32.exe
File created	C:\Windows\SysWOW64\Bhkfkmmg.exe	Bmeandma.exe
File opened for modification	C:\Windows\SysWOW64\Bnoddcef.exe	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Lahoec32.dll	Bgelgi32.exe
File created	C:\Windows\SysWOW64\Giidol32.dll	Pnifekmd.exe
File created	C:\Windows\SysWOW64\Apjkcadp.exe	Aoioli32.exe
File opened for modification	C:\Windows\SysWOW64\Pjbcplpe.exe	Pdhkcb32.exe
File created	C:\Windows\SysWOW64\Pmiikh32.exe	Pfoann32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1496	1060	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6ca842832812da0f74073dd0a4f394f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojdgnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofkgcobj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofmdio32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aoioli32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aopemh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddgibkpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkqaoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfiddm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdaniq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aonhghjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmhocd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bklomh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmnbfhal.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmblagmf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qacameaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apmhiq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aaoaic32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdmmeo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhkfkmmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bahdob32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdfpkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ppgegd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmeandma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgnffj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Palklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afpjel32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chfegk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coegoe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chnlgjlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfandnla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahaceo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhmbqm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhpofl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Coqncejg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdpcal32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgcihgaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogekbb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qpcecb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmfllhn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgkiaj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bddcenpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnjdpaki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacckp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opqofe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdenmbkk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cammjakm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhphmj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ahfmpnql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amnlme32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocohmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oabhfg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfoann32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmiikh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnifekmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdhkcb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjbcplpe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bacjdbch.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnoddcef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjiipk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adcjop32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amqhbe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apodoq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgelgi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhpofl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caageq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pfandnla.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Palklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adcjop32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgnffj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Omdppiif.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qpcecb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndikch32.dll"	Bklomh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmfllhn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pnifekmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egilaj32.dll"	Qdaniq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cglbhhga.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coegoe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofmdio32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gelfeh32.dll"	Dhphmj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdlfcb32.dll"	Ahfmpnql.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	6ca842832812da0f74073dd0a4f394f0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfoann32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ckbemgcp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekiapmnp.dll"	Cacckp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chfegk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdmmeo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnjdpaki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddgibkpc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcefi32.dll"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll"	Pjbcplpe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjieo32.dll"	Bmeandma.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Coqncejg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfdiedd.dll"	Ddgibkpc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6ca842832812da0f74073dd0a4f394f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnkdmlfj.dll"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amqhbe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqppgj32.dll"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgcihgaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmblagmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qdaniq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgegjnih.dll"	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhefcoo.dll"	Ppgegd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll"	Chnlgjlb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ppgegd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qhhpop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qacameaj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhkfkmmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bahdob32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ofmdio32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgelgi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aaoaic32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdenmbkk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adcjop32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmhocd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgddkelm.dll"	Bdfpkm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Opqofe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bklomh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ogekbb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apjkcadp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ahaceo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnpamkc.dll"	Apmhiq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnoddcef.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 4868	4608	6ca842832812da0f74073dd0a4f394f0N.exe	84
PID 4608 wrote to memory of 4868	4608	6ca842832812da0f74073dd0a4f394f0N.exe	84
PID 4608 wrote to memory of 4868	4608	6ca842832812da0f74073dd0a4f394f0N.exe	84
PID 4868 wrote to memory of 2016	4868	Ogekbb32.exe	85
PID 4868 wrote to memory of 2016	4868	Ogekbb32.exe	85
PID 4868 wrote to memory of 2016	4868	Ogekbb32.exe	85
PID 2016 wrote to memory of 720	2016	Ojdgnn32.exe	86
PID 2016 wrote to memory of 720	2016	Ojdgnn32.exe	86
PID 2016 wrote to memory of 720	2016	Ojdgnn32.exe	86
PID 720 wrote to memory of 4560	720	Opqofe32.exe	87
PID 720 wrote to memory of 4560	720	Opqofe32.exe	87
PID 720 wrote to memory of 4560	720	Opqofe32.exe	87
PID 4560 wrote to memory of 4564	4560	Ofkgcobj.exe	88
PID 4560 wrote to memory of 4564	4560	Ofkgcobj.exe	88
PID 4560 wrote to memory of 4564	4560	Ofkgcobj.exe	88
PID 4564 wrote to memory of 3476	4564	Omdppiif.exe	90
PID 4564 wrote to memory of 3476	4564	Omdppiif.exe	90
PID 4564 wrote to memory of 3476	4564	Omdppiif.exe	90
PID 3476 wrote to memory of 4580	3476	Ocohmc32.exe	91
PID 3476 wrote to memory of 4580	3476	Ocohmc32.exe	91
PID 3476 wrote to memory of 4580	3476	Ocohmc32.exe	91
PID 4580 wrote to memory of 2308	4580	Ofmdio32.exe	92
PID 4580 wrote to memory of 2308	4580	Ofmdio32.exe	92
PID 4580 wrote to memory of 2308	4580	Ofmdio32.exe	92
PID 2308 wrote to memory of 4336	2308	Oabhfg32.exe	93
PID 2308 wrote to memory of 4336	2308	Oabhfg32.exe	93
PID 2308 wrote to memory of 4336	2308	Oabhfg32.exe	93
PID 4336 wrote to memory of 3196	4336	Pfoann32.exe	94
PID 4336 wrote to memory of 3196	4336	Pfoann32.exe	94
PID 4336 wrote to memory of 3196	4336	Pfoann32.exe	94
PID 3196 wrote to memory of 4280	3196	Pmiikh32.exe	95
PID 3196 wrote to memory of 4280	3196	Pmiikh32.exe	95
PID 3196 wrote to memory of 4280	3196	Pmiikh32.exe	95
PID 4280 wrote to memory of 3180	4280	Ppgegd32.exe	96
PID 4280 wrote to memory of 3180	4280	Ppgegd32.exe	96
PID 4280 wrote to memory of 3180	4280	Ppgegd32.exe	96
PID 3180 wrote to memory of 4232	3180	Pfandnla.exe	97
PID 3180 wrote to memory of 4232	3180	Pfandnla.exe	97
PID 3180 wrote to memory of 4232	3180	Pfandnla.exe	97
PID 4232 wrote to memory of 3436	4232	Pnifekmd.exe	98
PID 4232 wrote to memory of 3436	4232	Pnifekmd.exe	98
PID 4232 wrote to memory of 3436	4232	Pnifekmd.exe	98
PID 3436 wrote to memory of 3620	3436	Pdenmbkk.exe	99
PID 3436 wrote to memory of 3620	3436	Pdenmbkk.exe	99
PID 3436 wrote to memory of 3620	3436	Pdenmbkk.exe	99
PID 3620 wrote to memory of 1380	3620	Pmnbfhal.exe	100
PID 3620 wrote to memory of 1380	3620	Pmnbfhal.exe	100
PID 3620 wrote to memory of 1380	3620	Pmnbfhal.exe	100
PID 1380 wrote to memory of 3380	1380	Pdhkcb32.exe	101
PID 1380 wrote to memory of 3380	1380	Pdhkcb32.exe	101
PID 1380 wrote to memory of 3380	1380	Pdhkcb32.exe	101
PID 3380 wrote to memory of 2452	3380	Pjbcplpe.exe	102
PID 3380 wrote to memory of 2452	3380	Pjbcplpe.exe	102
PID 3380 wrote to memory of 2452	3380	Pjbcplpe.exe	102
PID 2452 wrote to memory of 3224	2452	Palklf32.exe	103
PID 2452 wrote to memory of 3224	2452	Palklf32.exe	103
PID 2452 wrote to memory of 3224	2452	Palklf32.exe	103
PID 3224 wrote to memory of 1204	3224	Pfiddm32.exe	104
PID 3224 wrote to memory of 1204	3224	Pfiddm32.exe	104
PID 3224 wrote to memory of 1204	3224	Pfiddm32.exe	104
PID 1204 wrote to memory of 3956	1204	Pmblagmf.exe	105
PID 1204 wrote to memory of 3956	1204	Pmblagmf.exe	105
PID 1204 wrote to memory of 3956	1204	Pmblagmf.exe	105
PID 3956 wrote to memory of 1580	3956	Qhhpop32.exe	106

C:\Users\Admin\AppData\Local\Temp\6ca842832812da0f74073dd0a4f394f0N.exe
"C:\Users\Admin\AppData\Local\Temp\6ca842832812da0f74073dd0a4f394f0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\Ogekbb32.exe
  C:\Windows\system32\Ogekbb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4868
- - C:\Windows\SysWOW64\Ojdgnn32.exe
    C:\Windows\system32\Ojdgnn32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\Opqofe32.exe
      C:\Windows\system32\Opqofe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\SysWOW64\Ofkgcobj.exe
        
        C:\Windows\system32\Ofkgcobj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4560
      - C:\Windows\SysWOW64\Omdppiif.exe
        
        C:\Windows\system32\Omdppiif.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\SysWOW64\Ofmdio32.exe
        
        C:\Windows\system32\Ofmdio32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Oabhfg32.exe
        
        C:\Windows\system32\Oabhfg32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Pfoann32.exe
        
        C:\Windows\system32\Pfoann32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Pmiikh32.exe
        
        C:\Windows\system32\Pmiikh32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Ppgegd32.exe
        
        C:\Windows\system32\Ppgegd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Pfandnla.exe
        
        C:\Windows\system32\Pfandnla.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\SysWOW64\Pnifekmd.exe
        
        C:\Windows\system32\Pnifekmd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4232
        
        C:\Windows\SysWOW64\Pdenmbkk.exe
        
        C:\Windows\system32\Pdenmbkk.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\Pmnbfhal.exe
        
        C:\Windows\system32\Pmnbfhal.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Pdhkcb32.exe
        
        C:\Windows\system32\Pdhkcb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Pjbcplpe.exe
        
        C:\Windows\system32\Pjbcplpe.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Palklf32.exe
        
        C:\Windows\system32\Palklf32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\Pmblagmf.exe
        
        C:\Windows\system32\Pmblagmf.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\SysWOW64\Qhhpop32.exe
        
        C:\Windows\system32\Qhhpop32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3956
        
        C:\Windows\SysWOW64\Qpcecb32.exe
        
        C:\Windows\system32\Qpcecb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4156
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\Qdaniq32.exe
        
        C:\Windows\system32\Qdaniq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Afpjel32.exe
        
        C:\Windows\system32\Afpjel32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\Adcjop32.exe
        
        C:\Windows\system32\Adcjop32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4052
        
        C:\Windows\SysWOW64\Aoioli32.exe
        
        C:\Windows\system32\Aoioli32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\Windows\SysWOW64\Apjkcadp.exe
        
        C:\Windows\system32\Apjkcadp.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\Ahaceo32.exe
        
        C:\Windows\system32\Ahaceo32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Amnlme32.exe
        
        C:\Windows\system32\Amnlme32.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\Apmhiq32.exe
        
        C:\Windows\system32\Apmhiq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Aonhghjl.exe
        
        C:\Windows\system32\Aonhghjl.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Amqhbe32.exe
        
        C:\Windows\system32\Amqhbe32.exe
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Apodoq32.exe
        
        C:\Windows\system32\Apodoq32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Aopemh32.exe
        
        C:\Windows\system32\Aopemh32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\Aaoaic32.exe
        
        C:\Windows\system32\Aaoaic32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
        
        C:\Windows\SysWOW64\Bgkiaj32.exe
        
        C:\Windows\system32\Bgkiaj32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1920
        
        C:\Windows\SysWOW64\Bmeandma.exe
        
        C:\Windows\system32\Bmeandma.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Bhkfkmmg.exe
        
        C:\Windows\system32\Bhkfkmmg.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Bmhocd32.exe
        
        C:\Windows\system32\Bmhocd32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bacjdbch.exe
        
        C:\Windows\system32\Bacjdbch.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4304
        
        C:\Windows\SysWOW64\Bhmbqm32.exe
        
        C:\Windows\system32\Bhmbqm32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bklomh32.exe
        
        C:\Windows\system32\Bklomh32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1548
        
        C:\Windows\SysWOW64\Bddcenpi.exe
        
        C:\Windows\system32\Bddcenpi.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Windows\SysWOW64\Bhpofl32.exe
        
        C:\Windows\system32\Bhpofl32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\Bahdob32.exe
        
        C:\Windows\system32\Bahdob32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Bdfpkm32.exe
        
        C:\Windows\system32\Bdfpkm32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Bgelgi32.exe
        
        C:\Windows\system32\Bgelgi32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\Bnoddcef.exe
        
        C:\Windows\system32\Bnoddcef.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Cammjakm.exe
        
        C:\Windows\system32\Cammjakm.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\Chfegk32.exe
        
        C:\Windows\system32\Chfegk32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Coqncejg.exe
        
        C:\Windows\system32\Coqncejg.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2320
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Cglbhhga.exe
        
        C:\Windows\system32\Cglbhhga.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Caageq32.exe
        
        C:\Windows\system32\Caageq32.exe
        61⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\Coegoe32.exe
        
        C:\Windows\system32\Coegoe32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Cacckp32.exe
        
        C:\Windows\system32\Cacckp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Chnlgjlb.exe
        
        C:\Windows\system32\Chnlgjlb.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Cnjdpaki.exe
        
        C:\Windows\system32\Cnjdpaki.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\Dhphmj32.exe
        
        C:\Windows\system32\Dhphmj32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Dgcihgaj.exe
        
        C:\Windows\system32\Dgcihgaj.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Dkqaoe32.exe
        
        C:\Windows\system32\Dkqaoe32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 220
        71⤵
        Program crash
        
        PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1060 -ip 1060
1⤵
PID:4388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Adcjop32.exe

Filesize
76KB

MD5
9410401404df0ccc0c27de8223a19187

SHA1
0b653368f084cd89c884b38f755fd802b14d4f42

SHA256
ee1d2e34e2314fe1b8b99645556b701c0b502fff5746ee9b01c171fed0ebce7b

SHA512
222fa63f7b2073a55e527319f4fa8073c387be37075cdf9c7aacdd6a06e12cd8528eac2cc4747a1e98cc62ef694bf9bf5f97e2e2395909502953bb6c9f1854dd

Download Submit
C:\Windows\SysWOW64\Afpjel32.exe

Filesize
76KB

MD5
f20c48a92daaa146dd4717bfb705f6fa

SHA1
4326909d7a50695d15d628f258a175d575fc425d

SHA256
68931a1cf281492b8d300de9667bc3b79208c07361720407c9c5847f226c1cdf

SHA512
df5805c5bd4d6c68d69784f4b9b387890c3bd54ef428d987d4be0357388b31a076a8f5eae768f1e9aefb099ab431afe1b7c29313b15fce0cb89523c1d812b152

Download Submit
C:\Windows\SysWOW64\Ahaceo32.exe

Filesize
76KB

MD5
143d91eab8644db3cc8fb243a6c24072

SHA1
5b2d672742ac425426ecb42c645eb1f0fb46de78

SHA256
f52fe8fc82dcfdb6dc4ead97b2890cd828532441edc34c9f63ebf83619d450aa

SHA512
daf273831849df161adfab4c36d59bd56ccd28749d40f31abda9204342dfcaa419d9d1094808589074ee4cee5841d8d340bc362c08ced3047bc68409e01da02c

Download Submit
C:\Windows\SysWOW64\Amnlme32.exe

Filesize
76KB

MD5
9261ae38cb5637e6ab01359e2f285be2

SHA1
4cfdbfacabdbbfc6dd3a2b3b51887fbae1ae9abb

SHA256
04d41dc5c221cad674da24747e380c5a739f699a5f36e50d298e0642fdf90d7c

SHA512
9b411cb145b704f40d623fd45c6d02c1e791f297cfe78d8070175876adcd13b8f8c983164468cf0fbaa65aeca60f23d75c9ff3fe2607e6df691266a57ce81c54

Download Submit
C:\Windows\SysWOW64\Aoioli32.exe

Filesize
76KB

MD5
a29acbf4ba00cb659c2ea81fbdce5827

SHA1
cd5aec7c3455fd5f1ebeb8efd7d9505c09a0f18a

SHA256
51e57897bb9104c04208ef3f90c18e601045f544f417ffa325ab5e498c6c8d02

SHA512
18a604889a060acb70ff75b49757372e7433a0efa0a74896d762ff879dc7e315da307c39e017a1cb17e83ab74ac311433f19d9394d42b2255db318a6506e1c25

Download Submit
C:\Windows\SysWOW64\Aopemh32.exe

Filesize
76KB

MD5
e58bec530d77264fb579261f36ae74ca

SHA1
e7aeed6c4643d6a4440748276a052bb585ceabde

SHA256
933ab897d63025b8b10f558e833c1b6ecd71680ac5c85cf8a44b523a9effb619

SHA512
87045ff09e372f716e7b528ae81f7068a0a90bc62d8e2bfb3b8c94bf048f64ed6a47303c94f2e542b8d1eb22f27df2ac89cecdf4592de5d669b063baa32ca372

Download Submit
C:\Windows\SysWOW64\Apjkcadp.exe

Filesize
76KB

MD5
d3967120a8faa99e2d37486dc482d180

SHA1
812f9b266ac45f3549346eb8b36204406eaa3e0a

SHA256
a4dd672730ea081b5c03a6a44afe41fa99e510ac4958daa750bee44dd1abe8a9

SHA512
877070a970d23c1b71e9d574e1c1ffb7a9de4b4e82e406375802563302176a30cbb9ee15fb0d47917f7ede437d623be315268ff166b65e9fe4788a0fcb67ec28

Download Submit
C:\Windows\SysWOW64\Apmhiq32.exe

Filesize
76KB

MD5
cddbc5f58ab5a2ffc2d82d64d1290b08

SHA1
718cf899c88bd7cb4c60999782d71b103b9cc60b

SHA256
080fe92208cdd943e8fb7d698597176b166a1f8875de755aeaea8edccaf0a837

SHA512
7a29059b8556b4a17d294a2e40b8882f25a454a20f2aadba22eb2624eff69c9f9b2b89fe272151a41f5d9de0744ab81313dde92c2ad2e501bd34b637c59bf9d5

Download Submit
C:\Windows\SysWOW64\Coqncejg.exe

Filesize
76KB

MD5
5c6f4dae53b9a6f6bfb9d79fcc8f822f

SHA1
13394280f1bf082d5dbff6ff9030865d88a36003

SHA256
73b580a46fa46dd2d3bdb5942b33e925a5685e93b36196cf76095ec185de7598

SHA512
f783d9472e408dd433f240ede71094bf8b5cd5db9ba387667922309b74ff6805183cbf5a36f23f8a772cb802d768a6fb2fc8928cea23b7b1e082edd783d88d45

Download Submit
C:\Windows\SysWOW64\Oabhfg32.exe

Filesize
76KB

MD5
0ba99f28e556d805a7133555b870847b

SHA1
78cf29a10d240d69b1b021eb49b8d67dc154129b

SHA256
ad5e5a3d4506a9aa8560e7327b67cc472dd8ab5fd42cbe00870a016b37f695c3

SHA512
2e25cac1a1594770971d075bb487b7054b03093c7e1e0645db5ae8f6fff294725c946156100d67f4a5593aab847267582e1d22d5f5e330d979cb257f83604aeb

Download Submit
C:\Windows\SysWOW64\Ocohmc32.exe

Filesize
76KB

MD5
1a09f45121f25378f2d9a6f24002516e

SHA1
8cff2be292856ea8d16bfc56f6af5e0b5597c7e8

SHA256
ace1983d5695ccd0fd217350413f6a7fc0a5ffb9f16c890bc8c0265f4cd754d1

SHA512
77a89d2b49186fd8eb7d69ac607ce9d9811307c5917dc3c37fb33696fe1ac2739a9eefa06774aa31f61b8821ebfcec9540b22fc63f02314aabe1af677632af54

Download Submit
C:\Windows\SysWOW64\Ofkgcobj.exe

Filesize
76KB

MD5
4aada7b020a3872861f47d85b8102d7c

SHA1
ea8e19cbd14a57526344f30726043ee6e2fb18cd

SHA256
af5fa37c10d7dff5b286c0d45888505e35b17e21d67d590b9cb804ea369c804a

SHA512
6fd274e52687a12cae45dcc10b900303bad872dbf8b62969c1bef572bb7e80f86e59cda9936e8ad5e2eaf56b778515695827f7fe56147cb5d5ba8d540f0a0099

Download Submit
C:\Windows\SysWOW64\Ofmdio32.exe

Filesize
76KB

MD5
652508d9ed59bc6b146374938570114c

SHA1
b76d803e268a3eae061459d296525407b0a3521b

SHA256
e59ecb75febd458699001cf2f38c15ea5fb9c29e4588514573692d06a1fe172e

SHA512
3afb3c39d83f264e5878559074dafce3aa2e02bb2a2af0504eca08cb1802b9f67d857d62f587ad6f348841b28d6eef48ee062615a751d2d67eb482352baefc55

Download Submit
C:\Windows\SysWOW64\Ogekbb32.exe

Filesize
76KB

MD5
3917cc64d35e6eb192226093d47cc842

SHA1
74bf1d586ab0c37ef8bbe8d5a8cae62f0afde47f

SHA256
22c3d4787d1e9c613dff26d38e44fef9825d74e5456a478d17a3aa837e55981b

SHA512
80e0fdc839359678a31da2389c3c9f161f7f6ed641a5470fd6d5735ac4abf90286400afb34124da0973d3b73b8ba6f029414644dac5b85e4fad14c66972c3e91

Download Submit
C:\Windows\SysWOW64\Ojdgnn32.exe

Filesize
76KB

MD5
e5ca41a84135d4017799a91e69ac978d

SHA1
e9073735af2dc31f134141be24f3a1776ca66ae2

SHA256
004643a89c7ef75a6b0d3580cfce12559d1722219f3ed7eadabc16b67e8d37f6

SHA512
793ea5127338364014a0b3a2ea994fac87d611d484adcb6a155546d8d3ae07c7ada18ae6eabc36993552d0435b8a29ecabf6180d4ad22f81ccc3ca6c794fca74

Download Submit
C:\Windows\SysWOW64\Omdppiif.exe

Filesize
76KB

MD5
a8202e9f0a4f3440803a51f753d47e03

SHA1
69cbffe074c560818f4a87b4ecd2716b39f19531

SHA256
817dfc427bce70a37c1f68bcacfdf4499f6544164ddb291c9ae7abbbef1a4b35

SHA512
fcc188586f0dfa4c56049af27af950509c5e1244bcc76f412dda8797bdc2c6e78f2758eb5bb5335171b29eea415912db56dbe01c0648a8e548395d26af4cd111

Download Submit
C:\Windows\SysWOW64\Opqofe32.exe

Filesize
76KB

MD5
b5f978db05c3197548d0a9c1af801194

SHA1
3ee8255fac6334050331feaeffa9d6284878081f

SHA256
e9c35c2197f224e0b215498b8a72c32b319de53be3abc0df35cb88ca2d2194d0

SHA512
fd2fba32f34aac7b844aa3015bde79227fa44dc7ce2a357da36027149936d98188005d1a25916ae4376e3309e07ea600332b78072229ddff9b83eae88189bbdd

Download Submit
C:\Windows\SysWOW64\Palklf32.exe

Filesize
76KB

MD5
8abc9629579c56520e0386d53e8b24a4

SHA1
d8aea9fe14813d3727b9d2c07c64dceb441b95fa

SHA256
f731352892e7250cc4c048318f4d96fcb2dd002195f26ae04ae242d9f0b3b505

SHA512
c0bd24316550b9aa3dcad6c157f9c99c2a6e63cbb97744d87dc4f01bc87afd90e9d9f715189aa7177cbf0583c9e43284dcd16096f421a242ccb8604ee7580702

Download Submit
C:\Windows\SysWOW64\Pdenmbkk.exe

Filesize
76KB

MD5
40f89d64bc9dfcca1d643dcd92f7f137

SHA1
8f8bd5a98837b0a10ca28ef67298c0bcd265bc69

SHA256
b1a41c1dc4fb15181f51df4e4fd56869e269fad1d60a1316aa398739aed01abc

SHA512
78344351984bac10d575b5cbbb551c4885c945e5e43a81791b6e4a0934554b74249553f649ddc40fb660d6aa58a83860f56bd3926f14f50dbbdcc32c93805e77

Download Submit
C:\Windows\SysWOW64\Pdhkcb32.exe

Filesize
76KB

MD5
52857a41e07436b37086f2027355fc46

SHA1
5d2592a81ba4bffe7482485057d9979e0e9a602b

SHA256
809d88802f65cff0367d0228f51b9c3878b869dc77ae57d794d420c368e7b1c1

SHA512
77f2caa24748cd274eaaeb6af046551a0b1721829813d595d428a7f64867518aeeac8b33feb616743f69f3fb5202c513e54532e371db97608d509ea36180756f

Download Submit
C:\Windows\SysWOW64\Pfandnla.exe

Filesize
76KB

MD5
e91dad3e41a4b8017fb28242fe7bb8a2

SHA1
d8ca36cdda5f8817f0e64a70c29fa14158df0203

SHA256
437fb5d11a4cc7af4c90ed8c962e00af0185de3437c86122031744e5186cdc03

SHA512
5c904b4bbd27c93e28429b7c71b94556c6663d28e2592c5d79e01d33ddb19569cd9bbfaa5314f03df5c2824378e8f6de146a7ac1358776ee7360fdff9882cb7a

Download Submit
C:\Windows\SysWOW64\Pfiddm32.exe

Filesize
76KB

MD5
a0290cf2fc44443ed56bb46645838c68

SHA1
70039672b0c09cbbab984bda37066b49f13b3e62

SHA256
360f1665ebf79dd176e5f6776d23d15f09a86a1c03c27e9deb45142f108260a1

SHA512
e9bebdbd1a870c23dee63553d662b27fa8419aae6be5e0012c24a431bbf72227ce5de58e0486583a993b0c49c1373943bd8214fa4343e6bdd1a8e1ad1d9f8a9d

Download Submit
C:\Windows\SysWOW64\Pfoann32.exe

Filesize
76KB

MD5
9d034671c46bf7eaa0c138b3b2e116f2

SHA1
063f6162197e52904e415dfa73c6df443d0b13df

SHA256
69b7993751c7935cfd07de0c27a6ef7e38acc3acd65178f9be95fffbad1fc20a

SHA512
5341401b2b6a55bf0d71a46fdc9709350082cfdd33ce193345c2500d2cb5f4abfcd12548c2747d771c4b8887e69b73d5534252067e5b846a2729292b2a8d649c

Download Submit
C:\Windows\SysWOW64\Pjbcplpe.exe

Filesize
76KB

MD5
46d7cd73b8481904182d1177e514d15a

SHA1
575e3e5265752c6b2dd44b7fafa301a1b0665d98

SHA256
e677a605460dd85aa599084e98f2ff4b5275ff1577098a77ba3b4e554849dbd4

SHA512
8243821d091a3927bbd4cceb6ac76c04ec2ddd39cfa44fae3664913db2f3e5723641217e0a95883145107adf39b8e38b05ef967a81ed7e71df0b8a273f03f86e

Download Submit
C:\Windows\SysWOW64\Pmblagmf.exe

Filesize
76KB

MD5
2d2eddaa120edee9210c637b3b309c33

SHA1
c4c81f70c7a9e0c8c9b5768a132eb897d36eedf4

SHA256
f0ecafa292b9668a3c46ba77ab1e76ba27cb7a766dcd1d06403c2a5957d9ea42

SHA512
5f79a1af499b1480c43ed64e5f8d61fed0f1d71976acf5446650f88c596079aa727872e6b450e5388bdb4c7c3798b9c46985851e9a57347a147c94d91b76b5b4

Download Submit
C:\Windows\SysWOW64\Pmiikh32.exe

Filesize
76KB

MD5
589427d999d32444ac4d3529573560cb

SHA1
ee524099b5b08065a423c88cacfb2c589dfdeda9

SHA256
bf01740db950e660dae7a94ddd24286bb9ac0dfa9911447074f14248c1b2c804

SHA512
4f21adb5ac66ebc81db979a3cda0fa34531b3a37d1b57510d1ff071a4ff27f9741e0ca09f830e3ba8fafb82793b44aa312af10cb47c881265e13d3c08116e15f

Download Submit
C:\Windows\SysWOW64\Pmnbfhal.exe

Filesize
76KB

MD5
cdc88445aa75db21e6a6414dcdb94e2c

SHA1
79c3749e58c7b291a81754c92996f0787df8c679

SHA256
e472916edbb32ea680306589432ba4fa29001e16247b714df90797efeb76db99

SHA512
1d0f2e086540825e4f64fe1a6ff9b1ab53048d798699503c88e1f4cf04b2bc27aa4c4caa875a6820b1e8ce4d4749d457f1f95d192e5a97874ee95d64e420547a

Download Submit
C:\Windows\SysWOW64\Pnifekmd.exe

Filesize
76KB

MD5
715ff92fcfbe9b87fafdf7b973d500ba

SHA1
521ae6ce67c21d0229101742aeacdee58f167340

SHA256
4d3859668f7a9a77de6c417aff97fb89321ab29cbc1eaf67d8b1700b343c3ca4

SHA512
4092cbf397a900eab81e0281d419ab3c278eaa2b606a3a8f3fab1310787dac0cb9b6af60c109feca7e38792a6a3bcda78b729a63d8f0e95876b855d1b6ea06fb

Download Submit
C:\Windows\SysWOW64\Ppgegd32.exe

Filesize
76KB

MD5
ccf57cb19b17a7dfe54483a7093c1e18

SHA1
2e4ea68b179b867fce714b5a4b9f78e9671fe2b6

SHA256
3d4790dae2ce7e2033b91cb3b4a1274a42bf35f882fa1c810e4a06cf18092549

SHA512
29e77df86c0a750a6e63f996dbc1ec00a42d14bcc139ba6a3fadaab8034377250c49afb6e1a205f085f30c9286bc54bade0ca41d09ca00f5921369434942d3d7

Download Submit
C:\Windows\SysWOW64\Qacameaj.exe

Filesize
76KB

MD5
8af61ad0864510fefcba94a326c0074b

SHA1
0f7eeea823b963de85b83e6bdcf3bcc3a8cea74f

SHA256
cc4c47c811bc65313e1148282b3c73c7f184451b24e3a1e771632682e01337ea

SHA512
5366b05eca134f17de5a8503804e3e431c65f43112067f5458b831e5b9e451e611e7c342fda5c93b66517e9e578191fd00da776cdea4aab3d9a4ccb1ab8b3f6a

Download Submit
C:\Windows\SysWOW64\Qdaniq32.exe

Filesize
76KB

MD5
6f5f3d417147f0baaa66dd7d6deea0ad

SHA1
2f9a91c81d464c708987b8dac5a64f5cd535be68

SHA256
22fa4180e5e05b37851a1d7dca333df0e128cda3172e017798e42cdda774e2ea

SHA512
16c56ed7b14f1c1b4b1992b4b4e09f2d653ea2898254fd28bf4629bb5e677e9b5e89f885c2434d13d2e91dd9f12a70bbd6d28eb6c5f99f83dcd4e336ce72fb67

Download Submit
C:\Windows\SysWOW64\Qhhpop32.exe

Filesize
76KB

MD5
2b6e629805744914ef6a9e408e6724ec

SHA1
373574417bb715f3210fb2a26429083e8540b7cf

SHA256
52487a0a37f43ef870302e1b7b920fcc8bc6a5f8fa1f74e0fbed9f318696dd5d

SHA512
b16513efb1995b05b28daa67d82d6df9f78defc373a761575858bf24b4c7d4263891ea449d8ee6fc41d14cd381ec26950fcd77d86e66942166d0da57b673cd3e

Download Submit
C:\Windows\SysWOW64\Qjiipk32.exe

Filesize
76KB

MD5
b5c2a5daffc68169f77e37331407b324

SHA1
f5f7e7df4beb1bc5ff61918ca2f217b2bdee802c

SHA256
bcfd6a6473802d8c90de338478599d2bc8d70167e32b0d8baec9e5b7a3f58317

SHA512
9af7c4fb960a4f0eee210e36bd6212a8e688d0459b6b0a13ab1edf6e7769e5c43542dc4c437892958e372b9d946eee4300dd048ca19b05ef911319e204b86771

Download Submit
C:\Windows\SysWOW64\Qpcecb32.exe

Filesize
76KB

MD5
f86135640fb4e1572ef53b8748bddcb5

SHA1
595470aa99375004611de9cb0e81aa05be196074

SHA256
9cafbaec4d16f5ca35f575ac9ff40dabda2bf67a40845c8cae059ab825b179ad

SHA512
97350e34b7899806f2cfe30edd0b2a989ecbb4a6eec46a565d80ca5bbb5fe63c1e5e3ccf4ea2d58a002c3c4c5f64ce57d201a77b5823eeae5c6133de67b6aa4f

Download Submit
memory/408-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/408-492-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/720-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-487-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/728-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/920-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-481-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/932-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1204-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-483-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1296-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1372-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1380-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1456-489-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1584-484-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1668-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-496-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2000-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2016-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2064-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2308-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-490-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2404-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2452-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2692-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2784-279-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2944-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3004-495-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3056-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3060-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3180-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3196-83-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3288-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-493-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3304-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-137-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3460-486-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3476-53-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3552-235-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3600-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3620-121-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-488-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3780-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3928-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3956-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4000-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-345-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4052-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-480-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4120-477-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4156-185-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-105-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-482-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4304-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4336-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4468-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-494-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4560-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4580-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-5-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/4608-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4868-13-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4916-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads