45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Size

71KB
MD5

f98db1538651c0150ac9b0c4e61725ec
SHA1

81f4d59b6a9a435a775b8981bf52bf12ae051bd6
SHA256

45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b
SHA512

e30e9bc6c429119244ec1918ed47acd832e3c031ad1fa56fcb6865d29483a2dc1f51be4e456d4727f623245b4a874556a76ed33fc67b74a62dd7145e8853ed7a
SSDEEP

1536:tIXbxag9lHqfEi9ZI4yKIVb90jyMRZ3EiDRQUDbEyRCRRRoR4Rk:toxNtg350b96HEiDeSEy032ya

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qceiaa32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqfmde32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pmidog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe

Executes dropped EXE 64 IoCs

pid	Process
2668	Pfolbmje.exe
4916	Pmidog32.exe
1588	Pgnilpah.exe
4652	Qnhahj32.exe
4976	Qqfmde32.exe
3204	Qceiaa32.exe
3692	Qfcfml32.exe
408	Qnjnnj32.exe
3196	Qddfkd32.exe
3636	Qcgffqei.exe
1820	Anmjcieo.exe
656	Aqkgpedc.exe
3564	Acjclpcf.exe
4616	Afhohlbj.exe
3316	Anogiicl.exe
2520	Aeiofcji.exe
8	Agglboim.exe
2376	Amddjegd.exe
5060	Agjhgngj.exe
4844	Afmhck32.exe
3356	Amgapeea.exe
3884	Aeniabfd.exe
1404	Afoeiklb.exe
3504	Anfmjhmd.exe
5116	Aadifclh.exe
2664	Accfbokl.exe
1620	Bfabnjjp.exe
1044	Bnhjohkb.exe
1200	Bagflcje.exe
2924	Bfdodjhm.exe
4112	Bnkgeg32.exe
4980	Baicac32.exe
1944	Bchomn32.exe
4240	Bffkij32.exe
3340	Bnmcjg32.exe
1440	Balpgb32.exe
4532	Beglgani.exe
2176	Bgehcmmm.exe
2980	Bjddphlq.exe
3552	Bnpppgdj.exe
3664	Banllbdn.exe
4680	Beihma32.exe
1728	Bhhdil32.exe
1776	Bjfaeh32.exe
3780	Bmemac32.exe
572	Bapiabak.exe
4144	Cfmajipb.exe
2248	Cndikf32.exe
1204	Cenahpha.exe
1492	Cjkjpgfi.exe
4472	Cmiflbel.exe
3868	Cfbkeh32.exe
3652	Chagok32.exe
2388	Ceehho32.exe
5080	Chcddk32.exe
2420	Cnnlaehj.exe
2368	Dfiafg32.exe
3224	Djdmffnn.exe
4852	Danecp32.exe
1724	Dobfld32.exe
1480	Delnin32.exe
4940	Ddonekbl.exe
4772	Dmgbnq32.exe
4492	Ddakjkqi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Blfiei32.dll	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Qceiaa32.exe	Qqfmde32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Bjmjdbam.dll	Pfolbmje.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2768	4620	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfolbmje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqfmde32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmidog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pgnilpah.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdlci32.dll"	Pmidog32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmjdbam.dll"	Pfolbmje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Pgnilpah.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pgnilpah.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2668	2476	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe	83
PID 2476 wrote to memory of 2668	2476	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe	83
PID 2476 wrote to memory of 2668	2476	45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe	83
PID 2668 wrote to memory of 4916	2668	Pfolbmje.exe	84
PID 2668 wrote to memory of 4916	2668	Pfolbmje.exe	84
PID 2668 wrote to memory of 4916	2668	Pfolbmje.exe	84
PID 4916 wrote to memory of 1588	4916	Pmidog32.exe	85
PID 4916 wrote to memory of 1588	4916	Pmidog32.exe	85
PID 4916 wrote to memory of 1588	4916	Pmidog32.exe	85
PID 1588 wrote to memory of 4652	1588	Pgnilpah.exe	86
PID 1588 wrote to memory of 4652	1588	Pgnilpah.exe	86
PID 1588 wrote to memory of 4652	1588	Pgnilpah.exe	86
PID 4652 wrote to memory of 4976	4652	Qnhahj32.exe	87
PID 4652 wrote to memory of 4976	4652	Qnhahj32.exe	87
PID 4652 wrote to memory of 4976	4652	Qnhahj32.exe	87
PID 4976 wrote to memory of 3204	4976	Qqfmde32.exe	88
PID 4976 wrote to memory of 3204	4976	Qqfmde32.exe	88
PID 4976 wrote to memory of 3204	4976	Qqfmde32.exe	88
PID 3204 wrote to memory of 3692	3204	Qceiaa32.exe	89
PID 3204 wrote to memory of 3692	3204	Qceiaa32.exe	89
PID 3204 wrote to memory of 3692	3204	Qceiaa32.exe	89
PID 3692 wrote to memory of 408	3692	Qfcfml32.exe	90
PID 3692 wrote to memory of 408	3692	Qfcfml32.exe	90
PID 3692 wrote to memory of 408	3692	Qfcfml32.exe	90
PID 408 wrote to memory of 3196	408	Qnjnnj32.exe	91
PID 408 wrote to memory of 3196	408	Qnjnnj32.exe	91
PID 408 wrote to memory of 3196	408	Qnjnnj32.exe	91
PID 3196 wrote to memory of 3636	3196	Qddfkd32.exe	92
PID 3196 wrote to memory of 3636	3196	Qddfkd32.exe	92
PID 3196 wrote to memory of 3636	3196	Qddfkd32.exe	92
PID 3636 wrote to memory of 1820	3636	Qcgffqei.exe	94
PID 3636 wrote to memory of 1820	3636	Qcgffqei.exe	94
PID 3636 wrote to memory of 1820	3636	Qcgffqei.exe	94
PID 1820 wrote to memory of 656	1820	Anmjcieo.exe	95
PID 1820 wrote to memory of 656	1820	Anmjcieo.exe	95
PID 1820 wrote to memory of 656	1820	Anmjcieo.exe	95
PID 656 wrote to memory of 3564	656	Aqkgpedc.exe	96
PID 656 wrote to memory of 3564	656	Aqkgpedc.exe	96
PID 656 wrote to memory of 3564	656	Aqkgpedc.exe	96
PID 3564 wrote to memory of 4616	3564	Acjclpcf.exe	97
PID 3564 wrote to memory of 4616	3564	Acjclpcf.exe	97
PID 3564 wrote to memory of 4616	3564	Acjclpcf.exe	97
PID 4616 wrote to memory of 3316	4616	Afhohlbj.exe	99
PID 4616 wrote to memory of 3316	4616	Afhohlbj.exe	99
PID 4616 wrote to memory of 3316	4616	Afhohlbj.exe	99
PID 3316 wrote to memory of 2520	3316	Anogiicl.exe	100
PID 3316 wrote to memory of 2520	3316	Anogiicl.exe	100
PID 3316 wrote to memory of 2520	3316	Anogiicl.exe	100
PID 2520 wrote to memory of 8	2520	Aeiofcji.exe	102
PID 2520 wrote to memory of 8	2520	Aeiofcji.exe	102
PID 2520 wrote to memory of 8	2520	Aeiofcji.exe	102
PID 8 wrote to memory of 2376	8	Agglboim.exe	103
PID 8 wrote to memory of 2376	8	Agglboim.exe	103
PID 8 wrote to memory of 2376	8	Agglboim.exe	103
PID 2376 wrote to memory of 5060	2376	Amddjegd.exe	104
PID 2376 wrote to memory of 5060	2376	Amddjegd.exe	104
PID 2376 wrote to memory of 5060	2376	Amddjegd.exe	104
PID 5060 wrote to memory of 4844	5060	Agjhgngj.exe	105
PID 5060 wrote to memory of 4844	5060	Agjhgngj.exe	105
PID 5060 wrote to memory of 4844	5060	Agjhgngj.exe	105
PID 4844 wrote to memory of 3356	4844	Afmhck32.exe	106
PID 4844 wrote to memory of 3356	4844	Afmhck32.exe	106
PID 4844 wrote to memory of 3356	4844	Afmhck32.exe	106
PID 3356 wrote to memory of 3884	3356	Amgapeea.exe	107

C:\Users\Admin\AppData\Local\Temp\45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe
"C:\Users\Admin\AppData\Local\Temp\45bd0fe470847366bdaf2a142406755afb183124291f3987a26183c6aa54542b.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\SysWOW64\Pfolbmje.exe
  C:\Windows\system32\Pfolbmje.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Windows\SysWOW64\Pmidog32.exe
    C:\Windows\system32\Pmidog32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\SysWOW64\Pgnilpah.exe
      C:\Windows\system32\Pgnilpah.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\SysWOW64\Qqfmde32.exe
        
        C:\Windows\system32\Qqfmde32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4976
        
        C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Qcgffqei.exe
        
        C:\Windows\system32\Qcgffqei.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3636
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3356
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3884
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2664
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1620
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2924
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3340
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3552
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1728
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3780
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2248
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3312
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 408
        70⤵
        Program crash
        
        PID:2768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4620 -ip 4620
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
71KB

MD5
8507ecbd2d1bd789edb8aee271b3dd05

SHA1
52f9d62f665a95282cfb6793d0fca087c187c8db

SHA256
0025cc190fa6e6d5c6076cbb29146190663c1a96ccb8d75e7be68721ace1db98

SHA512
b892ebdaddb6129379c1db53ba8aed9925de79eb4ef4c6fdc2605cde9ac1326ff73927271a46cabe5af9a6149259dc6607970f707b6508b09e8c47aa4673f446

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
71KB

MD5
6e2d86120aeec28e0b1583edfbe5f9da

SHA1
146071bf0127fa3f83ff98234ab9e5b24d3963e2

SHA256
f712bb757708804d062bd50e5dd429dd22c52759bbda6a04667ea4503a38119c

SHA512
83e50aae8f8a0a27d24031a7193d14720dce3da583c6847a5333430193c60d21792bad75085a3734b7189d7319c907a1c8105369801924b904536c1494161fcf

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
71KB

MD5
db1277d4ca69a3020c8343d242bdd717

SHA1
9d8e950e4b9c84cb83ac04dc809142505d07a64d

SHA256
ff0bc4359494f8baf61bd0f67e66a908c7da1f601572eb0caa6c1f212601b22f

SHA512
3a62a2d01cb820ce818b565f0710da61a114875af247c2f9666d2631301e9286a42458a9914dfcdb112f72140817ce7f0fd4c9941de7a3f9f58bd873c191d4c7

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
71KB

MD5
0ce40218dc3f6f589a9b7b53d6877928

SHA1
0674251bf1bd6a41f8ed3d9934f00d13c1899e0f

SHA256
fa9c1c38272e059a1d66386afa8eee1923508513808f45ff96060316d26890e7

SHA512
9305ff64e4857708cb5d6d73c009af396adc04ac0e9827f374e62b9b6fdfe77d35c4605d41044fd1a1208e42b26325f437816e813de8646b2c237e91e1dbe664

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
71KB

MD5
725d0bd9fb14f9ece19457feb9f88fb3

SHA1
2d364d2c61b3b8646b5c1c4a628895ffecac9d89

SHA256
afaf220bc3fa5a7d99374412ad84a7c90ea5e28aa59e956220d5e4a25c8ee32f

SHA512
5cd39e31b47063ff1a3216804aacd3f40bcd682d33920e185a07705c0bd7ce7b19ef0109c61cfd2cedfa3253257085c39bc01b9f0e6b699fe3de07008b8132cd

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
71KB

MD5
9c67896c15282309f6b62e900f13a5a1

SHA1
b11846a37da8c9c50be88572a35574f034deaafc

SHA256
6e28e92770e255f9221442bdb6d2e592a29cbf21947504284d29f1495202d6ee

SHA512
5160c0b855b51a4eb8b4e33b48aafa57665a0db94e9d91e8c2a75011a6ad8dd21449e75b68ab77f4f000a30cb8401daa6c47a22d3993df8af097502f0d0163c3

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
71KB

MD5
1d3da58c8210000b3df92f0949682787

SHA1
e6f724b888b6eae8433efc80afb788b0ac4949bb

SHA256
9090af5ef5fca874cf86d2983ecda01e4a2c82a59116aefd9760792d6d36c979

SHA512
161c21f2ce00c833e3ead80ddd26a2a8c457df382e9783ddbb85f50a0a8021785e3f10755c4084cbebd8db197df37eeceec650fef06531c16839dc4c08e1d4e5

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
71KB

MD5
4434feb378c9c6804c5df21d1346d5a6

SHA1
1d25fbdb9648a6e88f30ce08ffe76eec859192f0

SHA256
782790fa02032227f3a3a9757c7a83391dc65f6c12c620fd7eaf29ba4de4bd0b

SHA512
fb1b131f231458942b5d42a0f7690050b79e6ba65abf8da178cc9108783ffc1b01a408114cbe8e64e1a91ff6e2587450e4dc71b5b7f71443a11e2b3cc27411f1

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
71KB

MD5
d3965ab9c7d865bacc113ecd1c577cd4

SHA1
fa0931ddcac73131e9a22c9b9c9fd22fe7b42372

SHA256
31db05e4fc41fe3481a8c607c3d047dc132521c546597f7a177728be6044ad28

SHA512
5e43369a8e29ef5ffaf1f04b307965ca241217ed7445f7334a7d9330d4468cc026156b1121b735ef0cf7823c27e077d401dec88979f138639b85e7971a4f98ce

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
71KB

MD5
c5baee944cdc170692dfd81889ba9174

SHA1
48315df1fa4d83f9f32c9ac8b6d242d0f6f1cb04

SHA256
570196ca02f8785d52e1ef740ff5d973273cdede282c0b2e690bf25a1c29c645

SHA512
ecb12f6e6755ede18be65b616151ddf53a23f1aaf2c8fd331ef547d521ad7ba528a5f8306eff15945c47baae7be3ec1be84d69cb940debc2d4d4885ef74c32a3

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
71KB

MD5
fdbca7a9db7c96e1ba2bea157bc7533a

SHA1
32599193d82395fb890e41dc9ef5e15406f9ed1a

SHA256
b4395514ddb7c79784841644b93448d5d6344b4db7e34782000f30bf206d982c

SHA512
4e0eb96941041f0ec4f16494411b50f8a901f33f4c9df069c85eb5c946bc5422e6d53bc302b8972fd71957efbfbff927519a54f10bb53ec87415c0de225c3c9d

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
71KB

MD5
813bcc86ab4140f845f0a62f2b0bcc28

SHA1
f408534d039e32d885683b0d3e533fb4e5fb9d6c

SHA256
4c16474f08061c7abe0a026f59cf9c555f89fe290494f66e6d420649d4a2c27e

SHA512
01540e0e1f38601ce6a3f731eb74dcbc13020e5689e807d4ffcc131d8449d651b18e602c56581d297e710dcc4feae3dd7d52b58e7cfb5bc98c544409d03a3140

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
71KB

MD5
a4cb654af1a65ac42fce9bb5afe5fd1b

SHA1
8b5f4311150c1b3e34fbea8d391461ec5acd5065

SHA256
89f3ca20e369ee1ebc526187b3d2dab5646fcb2a2ee61ba58cda11776b7ba0f0

SHA512
cc7500f44c76bb0fb5ad3f81979d70237a6322526502105fe79c0e487e1a367d540a84a82d5d2637dd02b952a17ab7b98dde4c762541aee3b6003d12b07cb5ae

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
71KB

MD5
a7f7724b1f32394acba0c28f2f07e336

SHA1
259e0c051d79ad1922569cb174b5fba691ad865c

SHA256
4ccb9e5f911d776a5f9d561dd465575ca5ad57992b00e980e06ca233cbe7a27f

SHA512
346a736d953a481ed1447378c9605031647c6088a3b5b62c77e9ca2473c032f13d4483d09ca845e81d0f5fb5a6747ca2e2ff781d4a4f9794d7f9f06d39b34fc5

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
71KB

MD5
73f9b99ee77dd4da6a366a866bc267ac

SHA1
cb5b7fcab036bb3b9e6b8055daea402f8484ff69

SHA256
bcad57adcdef9db1c4bc726201ef60b04074978f52adeb1922ea2a63474e558d

SHA512
1024685b43528bd869316521db8432067c110dbe1527b209b742a343fb15799ae8ad0346f2e2db5adecd58e5760246b20cce07567e7862ed001b902d968089a6

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
71KB

MD5
3d431652638b5ceaef412a4a208c61bb

SHA1
e87d7cbba75d0727402f1257cd52ea93cfdb228b

SHA256
33651702896e182133d1b6ece867fb36214d42eaeaa31bceb10f500d4acd66f6

SHA512
052c3b9ff4314082b0999ad020eede7725fb364a3ebe24ec015f70abb3f23143dd2ef1e8b89567180a63ea7979be0dc62eeaef07e529011da6cc7565b82cd7d8

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
71KB

MD5
fccb229e945095ab33c4d36f970ba731

SHA1
c3fd46662aee0c028738958edc036d8134f9f33c

SHA256
87d91816467c435fa882bab3a787844a75bf237b04055dd9b3014253628dc469

SHA512
70976393be03dbf3ba80309ccc56fcb012fdb3b910f5659f71715940a54c57e5cd4d23ac21493ecd113e6d33e749e9113d4aa89d47741123b7947090b1a9ed87

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
71KB

MD5
f2dae0d0e275418f23e19485e38b09b5

SHA1
9d037510c1a9233502e4e73db14a236eab5ed844

SHA256
b5eb0f74257ff12e63cd9d0d99936fa15ca036081208545da61921770b9aac9f

SHA512
194cf9b3aeaa37b4a69140a9a3ceaef2063c8ab463cffaf5a77f2ffd8da0c1b88a4a60e52b4891e3aa87ef02caa3fa14f2baa9e820ad8a2bce33f3ccc182dbe3

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
71KB

MD5
40dec9bbe6b7bc295ae88c584e48b7b5

SHA1
b23932f46ba00e11be503d2605868000108df2cd

SHA256
5b492182616858315358017060ca6b6cc29ed461608761a6a290f3de965cef82

SHA512
cf41f99e3f4ebea186a045cc4a9bb933f1913d7140f82cdd4268cf9a5d43e4a60ff29903cd5d67ba0fbe89434d78d52204938963f9d2a7288e3233753dde855f

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
71KB

MD5
91d8a29f1f5554cf7257a41df1a6b031

SHA1
90e3302c9195acfa7f98c5d909b44c5a25bd09d6

SHA256
d46b1d17b39288b0a67d04b183bca997bad5d8b93bdaa187b9454dc4f211e8e5

SHA512
b046975c6fb85fdddb5721a133e6fc3111235d920ae118d8293c3dd3a08b236348bffc7807701396023b4644afcadbce4f5040f8f8799d3059d547b7a53cc5c0

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
71KB

MD5
78dfa1b48f25a6365e265137aa34fb96

SHA1
7e7c119044f25a2888a427db8ec24d31053d254d

SHA256
d222c7affa11779821c52e2376977c3bac9180d8522aa8ed8fa32efcc48696b8

SHA512
7d874c982ffb7ea03e8901573763fc8fc38133145cd144207d73592ec54f1ae2a6e9a16ff82c798227577af23a8ed1906ab5431594dabc8bfe10cf44863afd19

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
71KB

MD5
61100c0979220901a12ad1bd4035006d

SHA1
052adea0fd154ab7cd885bf2f9226e73015bc447

SHA256
e483f302eaaaa198092bb3e90ead80e79eb8ec9f18bd21bff085d9c9638d974b

SHA512
2b20cc89e4e34561fdbc2b47e0f3e67f8965c90d6bfcd205b7555d43297054bd8d9be561a60eb7f6ff08a3f864ca111e6245a7176ea6ee98ff0b1aba1cfc30b9

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
71KB

MD5
6f83cdf55abba451a45bcfb11d46721d

SHA1
52bb19880f8b61bca65bb3053e7b103ae3ab5512

SHA256
6310aaa07fd6693ea40793889898873a03f586b5506d71adc8c218cdc25b39e4

SHA512
08620d3234123fbf4b9633cc8168a8300afb175ba0aa1b98372faac91f41685004cfba15deb244ae05b944429f491fb2e295bfdc62b057432cdf1244cbbe0556

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
71KB

MD5
ae993b59a78b3df168ddff3edf1ee737

SHA1
6f2fedd40402c7c43abf936057657d8e6100b05a

SHA256
954a03f6527eda0fa65637a4b3e9babe421a241335f80efd4ff79f1d05694594

SHA512
935994dc13b1fe82ed626d40158ce7557a6b86d0ba4ec58d8b418a1411e013c24836d58329644552223272a97a1f1040dd9dd60daacec1f0dc20938bff6ff82f

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
71KB

MD5
381df8eb25ab3a46eee94a2854c82050

SHA1
321eabde69e37924ace416e692eda193754a0803

SHA256
4a8533c379c971dd55db8660eaa6eeda1bbee838897ac5179737ad8474a49f7e

SHA512
861d0e9bea3dc81e7cc3fab4b49f4cff550733a2e0971c3705d9aee6cf49b94495f6f811bcc3cdedb3282e61dbe8b1339c1ba759c021fb6bde53b2450c9598ba

Download Submit
C:\Windows\SysWOW64\Dogogcpo.exe

Filesize
71KB

MD5
4b119381da0c828735acc6982c90b8b4

SHA1
9d08d15df001019d469d292ee2226eb505ac6e88

SHA256
96e52b3e09ef0a6be4111ec70252577c93d17160c9aefa10c5c19688d6631488

SHA512
740e2baa4e2c874ac7800774fcb4916bae9cc4673a0a4fd49f3c83ebab740029f4bf075ca1288358d76cd1f0583ed209bc07452de1a662db8ab87e2a2793919c

Download Submit
C:\Windows\SysWOW64\Lqnjfo32.dll

Filesize
7KB

MD5
978a7617b99ebe71cd1675a663ba98f8

SHA1
b3174b53508dd48d2bc93cb79587cabed6344441

SHA256
49a21f9a6e401c8c6038428f8b0362f3c5b3c8b09e9e542a52f9de6177ed53ee

SHA512
f01a0fa30c0f3454e6c0157f910905ff1eddcbc5019eff3424c9ab2f210f813fa65649c3dd1f70a565e9c86be0c9faaeaaaf6ee965f1a2d6962a5b2c643c7337

Download Submit
C:\Windows\SysWOW64\Pfolbmje.exe

Filesize
71KB

MD5
76d26093aa2cf1a8572e853f73cafb52

SHA1
4ff60b0308a7df1787d6f2519b65f34fcaaced02

SHA256
3decec8bba12212b124de2bc9a293b48c28bef55580a8eba4a202834bb896479

SHA512
28a2cd13edba572d1bae9a54b9922fe050e983018ec6afc9eeb97e563cdaac5dc4ad1039d03b75a5ed2d66a4eb7d139bfeb9acdacf7b48e9373234326f290a25

Download Submit
C:\Windows\SysWOW64\Pgnilpah.exe

Filesize
71KB

MD5
f246006fed0c6c5cf33ad613b6199447

SHA1
ccdda67a9c749c9d9d9525bcfa7199512f76795d

SHA256
682b4616494765f5223f92370f0ea4f8a499bee80ceb85b1fac64d13e3310507

SHA512
ed8e0227d5dc240cac64247e4894abba2614e11946af205a7e02a227e42da05c95f20288fbf030b44619a73a2cd24c00b0039f9d2a01894791a0600f2878901d

Download Submit
C:\Windows\SysWOW64\Pmidog32.exe

Filesize
71KB

MD5
b5ac6f6afda413f8f2a04afcd2cd52fb

SHA1
ca989bae9d6a4a481cfc67421c06bbaf8fdc6928

SHA256
eb21976e0a0d5a68f59e0d38307e01fc1353278bd1362cef2cb1b7bf7828ae43

SHA512
bed8748f4a29d9cacea97a41aba8409e98ece163559a9f893e3af5a0f5d96465cf476d9ed3d6de59316cfc3b7c51650c534bd827dc5ac02c42f6b0009ba6100f

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
71KB

MD5
ca305799e1874eb2e5b1c6c5e5da715a

SHA1
cb24a9cb118b97a7d62792a25a39a8fcc9540741

SHA256
f46db1770f2ae931225ff228f3033be35283b04ded89f19d845d8c7d227c2534

SHA512
68216951c45a2f89d77d87d919e3c1ddb531f7a5fae9aa26786f8c83ded7d7f18f4c5c08ffce2ce7e1c7686c2f9822336040bbc623528d870f6db2b2337b520e

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
71KB

MD5
518c566b540eb4d0ba5d751f02a1dfdf

SHA1
30c6a0336a0ed5902799f95b78eddef00bba0aee

SHA256
74b4e3898ebc681dd11c802cafe6f8f95dec139de7641689173980cd72247ffd

SHA512
0e27b18b0305a3f27899ca106ea612f6e74cc348c2e359951827ebbc1377c88ec0603e296eab1310b0faf2eec9f4f736804a3ae03c44186f1a8482f974a905ef

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
71KB

MD5
952f1cda9ce91ce89e80b028857f4fbb

SHA1
49c70e0cf66c0e3bd3c218d66834b4a906b501bf

SHA256
3c414d02c70478959147a12643b6cffb2e3b5aecf763a6eb91969e2dc6849429

SHA512
885feb6075142f74ee80b2ac1ab255df01b5a97194bde6a08494c76cfc1718f369179a66ae0cc7514ec223ab9b8b86dd5679232e3ebc4ede82300806fc4dc336

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
71KB

MD5
d25d66f467a7a8724eb74da375b09197

SHA1
3c513b6b6874e395fb349ed32a99bdddeb0537b8

SHA256
2367204e384877613fc716721f6a46654043016b91f985434bb3bdb4ef340dc9

SHA512
0050da59708171588bb528b11346c1f80bb76231a1ba254a3c4e0f2e5df1f54199f93dbc4835c079d55df540ca994fa108294ad0b9342ea9c986d057cccc9955

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
71KB

MD5
c7e62362d6a2538276d483a5f1c19ecb

SHA1
5586cf445f7ce5b4f98a1d2cdda31607d41492f4

SHA256
a35f7405fe34c6d8993c5fc41c318bd7bc7bb2ffa8f9788f1db0f96de7aebf8a

SHA512
ad756328d673e93e78287fd0752d368a8cd41e73bc337189b4afc49ce0e42a3da32682400f9c1333b7c0173a93dcc54a7432e8947b33ed06d85dc2817ffcbc34

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
71KB

MD5
be9ca6b2272b4fc9f5bcd9f315465869

SHA1
9993c3e45146db7d8a7edbcf2fe52e11915e4fb6

SHA256
9d45ce42c375f17e15a3ddd9b2eb693fbf5f81b8518e147166504f3942a4e58c

SHA512
5c8e32ce970bcab3e8d520fa49ea96c81bd1067b25a7ab1e9c5008ec6b55b1860efc2357dd81d9a13d2481477edba91f0e327570a02863199ec21fecb9add27c

Download Submit
C:\Windows\SysWOW64\Qqfmde32.exe

Filesize
71KB

MD5
d7e096fe44327c01d8360766016fdab6

SHA1
7c6c124bcef409e875ddbe70dbb008d8991f60fc

SHA256
18504f36df5243e4c1e1b84ac0235ef4910163c120d30649a72f0ed81815e0f3

SHA512
85cbfcbb96c985d68128eab0135b66e8594312727d447789a9c77864a1c79aac770538ad84e95b0b71db3c5f3929641fa5240db1de467a15a3170958fd52df7a

Download Submit
memory/8-135-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/408-64-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/572-340-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/572-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/656-95-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1044-227-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-491-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1204-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1404-188-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1440-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1480-430-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1492-364-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1492-490-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-454-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1588-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1620-220-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-424-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1724-480-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1728-496-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-328-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1776-495-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1820-87-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1944-262-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2176-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-352-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2248-492-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-483-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2376-143-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2388-388-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2388-486-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-400-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2420-484-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2476-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2520-127-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2664-207-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2668-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2924-239-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2980-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3196-72-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3204-48-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3224-482-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3224-412-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3268-460-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3268-475-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3312-466-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3312-473-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3316-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-274-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3340-499-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3356-172-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3504-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3552-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3564-104-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3636-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3652-487-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3652-382-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3664-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3692-56-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3780-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-376-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3868-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3884-175-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4112-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-493-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4144-346-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4240-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-489-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4472-370-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4492-477-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4492-448-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4532-498-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4532-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4616-116-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-474-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4620-472-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4652-32-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4680-497-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4680-316-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-442-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4772-478-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4844-160-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4852-481-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4852-418-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4916-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-479-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4940-436-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4976-40-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4980-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5060-152-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5080-485-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5080-394-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5116-199-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads