83f0dd794a04acfa86c9ce99f0c03b992bd5629865da6f89721ac616a13dc49f

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6f283a74df868247da43c6d0a7ce6a0N.exe
Size

512KB
MD5

f6f283a74df868247da43c6d0a7ce6a0
SHA1

260cb519f4010befac8b4dab9da3adfa7d86bf10
SHA256

83f0dd794a04acfa86c9ce99f0c03b992bd5629865da6f89721ac616a13dc49f
SHA512

9d6e50584fd88f13eb36c9fc91d2bab554321e78973646d6008f7e0f5a911b84cbafe67a1ddfa10bb3fd7270e6dfc509e856d2d989d32c65cea380515b9f157b
SSDEEP

6144:CYni853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:CYiQBpnchWcZ

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f6f283a74df868247da43c6d0a7ce6a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	f6f283a74df868247da43c6d0a7ce6a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe

Executes dropped EXE 60 IoCs

pid	Process
4432	Bjokdipf.exe
4380	Bmngqdpj.exe
3456	Baicac32.exe
4788	Bchomn32.exe
2228	Bgcknmop.exe
2400	Bnmcjg32.exe
2308	Beglgani.exe
4240	Bcjlcn32.exe
3120	Bjddphlq.exe
856	Bmbplc32.exe
1916	Bjfaeh32.exe
1120	Bmemac32.exe
2296	Bcoenmao.exe
1820	Cjinkg32.exe
2508	Cabfga32.exe
1012	Chmndlge.exe
1876	Cfpnph32.exe
3216	Caebma32.exe
1580	Cjmgfgdf.exe
4300	Cmlcbbcj.exe
3824	Cagobalc.exe
3148	Cdfkolkf.exe
2244	Chagok32.exe
3232	Cfdhkhjj.exe
2144	Cjpckf32.exe
4352	Cnkplejl.exe
1864	Cajlhqjp.exe
4928	Ceehho32.exe
1268	Cdhhdlid.exe
4992	Chcddk32.exe
4008	Cjbpaf32.exe
536	Cnnlaehj.exe
2152	Cmqmma32.exe
1068	Calhnpgn.exe
2240	Cegdnopg.exe
1064	Dhfajjoj.exe
1656	Dfiafg32.exe
1484	Dopigd32.exe
3732	Dmcibama.exe
5068	Dejacond.exe
3092	Ddmaok32.exe
4372	Dhhnpjmh.exe
3304	Dfknkg32.exe
4580	Dobfld32.exe
4944	Dmefhako.exe
4516	Daqbip32.exe
1460	Delnin32.exe
3312	Ddonekbl.exe
4492	Dhkjej32.exe
1388	Dfnjafap.exe
4404	Dodbbdbb.exe
1584	Dmgbnq32.exe
3600	Daconoae.exe
2620	Deokon32.exe
996	Dhmgki32.exe
3316	Dfpgffpm.exe
2768	Dkkcge32.exe
1300	Dmjocp32.exe
3156	Doilmc32.exe
1528	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	f6f283a74df868247da43c6d0a7ce6a0N.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1672	1528	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6f283a74df868247da43c6d0a7ce6a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	f6f283a74df868247da43c6d0a7ce6a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	f6f283a74df868247da43c6d0a7ce6a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	f6f283a74df868247da43c6d0a7ce6a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4432	1072	f6f283a74df868247da43c6d0a7ce6a0N.exe	86
PID 1072 wrote to memory of 4432	1072	f6f283a74df868247da43c6d0a7ce6a0N.exe	86
PID 1072 wrote to memory of 4432	1072	f6f283a74df868247da43c6d0a7ce6a0N.exe	86
PID 4432 wrote to memory of 4380	4432	Bjokdipf.exe	87
PID 4432 wrote to memory of 4380	4432	Bjokdipf.exe	87
PID 4432 wrote to memory of 4380	4432	Bjokdipf.exe	87
PID 4380 wrote to memory of 3456	4380	Bmngqdpj.exe	88
PID 4380 wrote to memory of 3456	4380	Bmngqdpj.exe	88
PID 4380 wrote to memory of 3456	4380	Bmngqdpj.exe	88
PID 3456 wrote to memory of 4788	3456	Baicac32.exe	89
PID 3456 wrote to memory of 4788	3456	Baicac32.exe	89
PID 3456 wrote to memory of 4788	3456	Baicac32.exe	89
PID 4788 wrote to memory of 2228	4788	Bchomn32.exe	90
PID 4788 wrote to memory of 2228	4788	Bchomn32.exe	90
PID 4788 wrote to memory of 2228	4788	Bchomn32.exe	90
PID 2228 wrote to memory of 2400	2228	Bgcknmop.exe	91
PID 2228 wrote to memory of 2400	2228	Bgcknmop.exe	91
PID 2228 wrote to memory of 2400	2228	Bgcknmop.exe	91
PID 2400 wrote to memory of 2308	2400	Bnmcjg32.exe	92
PID 2400 wrote to memory of 2308	2400	Bnmcjg32.exe	92
PID 2400 wrote to memory of 2308	2400	Bnmcjg32.exe	92
PID 2308 wrote to memory of 4240	2308	Beglgani.exe	93
PID 2308 wrote to memory of 4240	2308	Beglgani.exe	93
PID 2308 wrote to memory of 4240	2308	Beglgani.exe	93
PID 4240 wrote to memory of 3120	4240	Bcjlcn32.exe	94
PID 4240 wrote to memory of 3120	4240	Bcjlcn32.exe	94
PID 4240 wrote to memory of 3120	4240	Bcjlcn32.exe	94
PID 3120 wrote to memory of 856	3120	Bjddphlq.exe	96
PID 3120 wrote to memory of 856	3120	Bjddphlq.exe	96
PID 3120 wrote to memory of 856	3120	Bjddphlq.exe	96
PID 856 wrote to memory of 1916	856	Bmbplc32.exe	98
PID 856 wrote to memory of 1916	856	Bmbplc32.exe	98
PID 856 wrote to memory of 1916	856	Bmbplc32.exe	98
PID 1916 wrote to memory of 1120	1916	Bjfaeh32.exe	99
PID 1916 wrote to memory of 1120	1916	Bjfaeh32.exe	99
PID 1916 wrote to memory of 1120	1916	Bjfaeh32.exe	99
PID 1120 wrote to memory of 2296	1120	Bmemac32.exe	101
PID 1120 wrote to memory of 2296	1120	Bmemac32.exe	101
PID 1120 wrote to memory of 2296	1120	Bmemac32.exe	101
PID 2296 wrote to memory of 1820	2296	Bcoenmao.exe	102
PID 2296 wrote to memory of 1820	2296	Bcoenmao.exe	102
PID 2296 wrote to memory of 1820	2296	Bcoenmao.exe	102
PID 1820 wrote to memory of 2508	1820	Cjinkg32.exe	103
PID 1820 wrote to memory of 2508	1820	Cjinkg32.exe	103
PID 1820 wrote to memory of 2508	1820	Cjinkg32.exe	103
PID 2508 wrote to memory of 1012	2508	Cabfga32.exe	104
PID 2508 wrote to memory of 1012	2508	Cabfga32.exe	104
PID 2508 wrote to memory of 1012	2508	Cabfga32.exe	104
PID 1012 wrote to memory of 1876	1012	Chmndlge.exe	105
PID 1012 wrote to memory of 1876	1012	Chmndlge.exe	105
PID 1012 wrote to memory of 1876	1012	Chmndlge.exe	105
PID 1876 wrote to memory of 3216	1876	Cfpnph32.exe	106
PID 1876 wrote to memory of 3216	1876	Cfpnph32.exe	106
PID 1876 wrote to memory of 3216	1876	Cfpnph32.exe	106
PID 3216 wrote to memory of 1580	3216	Caebma32.exe	107
PID 3216 wrote to memory of 1580	3216	Caebma32.exe	107
PID 3216 wrote to memory of 1580	3216	Caebma32.exe	107
PID 1580 wrote to memory of 4300	1580	Cjmgfgdf.exe	108
PID 1580 wrote to memory of 4300	1580	Cjmgfgdf.exe	108
PID 1580 wrote to memory of 4300	1580	Cjmgfgdf.exe	108
PID 4300 wrote to memory of 3824	4300	Cmlcbbcj.exe	109
PID 4300 wrote to memory of 3824	4300	Cmlcbbcj.exe	109
PID 4300 wrote to memory of 3824	4300	Cmlcbbcj.exe	109
PID 3824 wrote to memory of 3148	3824	Cagobalc.exe	110

C:\Users\Admin\AppData\Local\Temp\f6f283a74df868247da43c6d0a7ce6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\f6f283a74df868247da43c6d0a7ce6a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\Bjokdipf.exe
  C:\Windows\system32\Bjokdipf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4432
- - C:\Windows\SysWOW64\Bmngqdpj.exe
    C:\Windows\system32\Bmngqdpj.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4380
  - - C:\Windows\SysWOW64\Baicac32.exe
      C:\Windows\system32\Baicac32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3456
    - - C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
      - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2244
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1268
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2240
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3092
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4372
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4516
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 396
        62⤵
        Program crash
        
        PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1528 -ip 1528
1⤵
PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Baicac32.exe

Filesize
512KB

MD5
966adbea9df12015fe5f20e1fbf72df0

SHA1
25f4b64b4a9c07d736bd5243a93e9515abcdf90a

SHA256
e3fd605869e7e9cc5853d12b68fc9084800a72d2c25c5132110cf393dd2343f5

SHA512
a950b4104a287bfd3f5f65ce0738f12f26ec13a345c00c2e5c95a0b5e348f9c4f7e606c40572865256bee0642d988301776751f19df7740d3d692bb210292f31

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
512KB

MD5
792c73042b219c3ce6907900a19102dc

SHA1
93014641d45245d52c99b3823218f5b996497b36

SHA256
443a7acf708dfc7e7744c044d95e7c67bd7ef2d39746e2c77798b2a3cccb3033

SHA512
d395fbed5d52f2ef45c7cae96e416a2d8025673dee2572bc8747e62295fc75a77415d538ed109b6b1abac20c895b92b7bd1a8676db1241c9348f5f5260053a5c

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
512KB

MD5
881eabdbd71adf3b8ddf57196f01353e

SHA1
5d476a36f7abe5e31583207ef64a894cfa520dc9

SHA256
7fb970f8bbf24b066eeaeb18d02c4d4e99bff2187e44623058cd43d6c4d2f8cb

SHA512
1feae0c6618dcbba84528c19058dbc44a2489f1e6c7541dca52acd73c98027497f87514bf099c6486b6318fd810b1d1fbf3e8f4cb4995698400f94ac8d3e02f4

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
512KB

MD5
bbe5ff746d4aa1b376ffe29dbccd1499

SHA1
67a0f1763ad74515acdef1b1387b5b0681943155

SHA256
500be5aea3e32c7529235942d46d626f7809e545eb487e9ab392aa02040fb643

SHA512
167606ffea4ea1cd4805e9f51b49f7e3dbfd082a2820ca8e4422736411043a015a819351fa43cc11f21e12ff6242cf89634cfe97c562e7ca83abeb760ef6f199

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
512KB

MD5
598b723923be1910cbce99d17f49d456

SHA1
c794e0cdfc78e5fb0b5fa09b47d1705135478767

SHA256
90f5c63f3a80362d906f021452c0ba43a4af414ae91b2159ccaef3bacb22652d

SHA512
aefddbb380c457f5408c8105fdfc07f8c9cb004aa3573c369afc6576c39afb943c0f398bb8928484cda35fdd397ffb0e47eb94d3c2f2092fde097abab3683953

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
512KB

MD5
71c05d5ec4dea390d2f14df4f879b667

SHA1
54fb4f6d8388c4f9ba36275d26affe32c9a68fea

SHA256
5d8bdb8c4c0c7fe9561b7a7e3acb5bdf2f33b68f4bf739691908459579348a2c

SHA512
adaa249447e39349640a07ed9570590f52873451ebf32e6deac109f4fe3290694751b06f2b91133b1bc856140f3fbe431c887bba645ea99c0dc8978408d8eb29

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
512KB

MD5
1123882faaae7d801cc3a7f8b93923ee

SHA1
8c243e7023472921798f8cd1457e6b2c219f1383

SHA256
0e1c1ffe4f63bf5b3277302fcd4a6c46d7531db0af8d0be09a82923fba3cd914

SHA512
32ee8377f7df3fd825f6d78dbd02e6395c1151d58f3509a77919443371f7c0c070faa1dffa85b28f823a78c1f36525189c82320e91297401131bbf603f48f6fd

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
512KB

MD5
103384fa5b48b97eb4964ac825364669

SHA1
26382da400dfa0e12d1d5a5ccb526e68c2151e1b

SHA256
9c046cb68e3acd141c942b688f3a770f2a27351ef4d103b430a8f37b7540e7f2

SHA512
ce40cd3d9a569d9c7a6ea65efbc3a2b768be29f73579d4ef72ffd28aa780a9ae6806300febabb94fd5e8d98b1ae1054ab29b48084c7dd9a9b662d28549bb06e4

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
512KB

MD5
cb6004a84245da84fe3b91e1ad019412

SHA1
f8c91f362fd56c3463765233ff0b1c88a6cefcc2

SHA256
abd07f2495cbfa5b765d944efedafdac93ff5a35985343c283ca9342fa54b7f9

SHA512
3c4148368af9972ac1de14ea2ff0352aacf0f127529a6a0e3d83b3f528219ea40eb5b52ac45a99a6226d876ba721f319acaef94484750d3dac89a33881abaf50

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
512KB

MD5
37f501e36eb48afea0c6eb10377ea7c4

SHA1
32653fc531265a94202b853618f4d254f11da5dc

SHA256
308fa06f7a50392e64f2aba35116296a24cb299fc96254ad6f4efd9288ab3cd2

SHA512
25508013439c337688a7bc5926c673d6e63d4ad18f34eeac2a9775f191712e970e9750b753bc20510980edca60171c8e06b4637eac07fb4b30f0103157c02f90

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
512KB

MD5
5022e791d4b4aed1d14e7cf62c07dbfc

SHA1
2d7f21daa65e8c25ae1bff38f7d2530be930eafd

SHA256
bf49ed30b393bc7a372076ea214a747324abdc2a13fbfa28775eb03d736c6218

SHA512
7ff3ee63dae70f81fde88ae54d625b6b5d77e16815e534566171222ca6ee9562d8609df5e5d79dc0ea2b1bcd739af7d2e6d451906e67485a033bfe1fa745d3ed

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
512KB

MD5
49fe1aa3fff2c282d55d78348ee5da34

SHA1
cd4d1e4d6a2c95fad84eb52f401a33a50189367d

SHA256
4169d6f5d6991e9dd2bd4af578cffd5289a9a275b26b04342e0852d530faa909

SHA512
c1dc2b4cd8b7c875604a4827e606f6b4ba29a2c08fb878b61ca30c93b5bf443fda3f0547b67c78d312588b988d905cc265903140b9a690814244fb2867bd0e6f

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
512KB

MD5
f3af1448a0e71c163096b005f74dc6d4

SHA1
4acb85e74a12e7bde3e17e8ce8cd3370723f5136

SHA256
f3b6e1ff77d0bc126ba06f1b490e237303c5d69de0b25ec24025f53c45fe798d

SHA512
09708a9ab4cd2cb04afea1d6b8bb8d6cbc5d3d1465380a815174a4eddc4f22e6a0599fbb076a25b17456b37f0bf0982e25ee2ac3511799e6d8df9ccdd1991a97

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
512KB

MD5
13563050078e881ab15541760c98733f

SHA1
20c6d1c94ed2ca8c41e557591e09e1471b8c1d4d

SHA256
a3ee7fb379003b12a04b634669a606ebd7be49893b03ed6c2ed1b946626bf117

SHA512
899417597117416cd9eb592c6d4a7c6a34d29638e87fb19cfb3ab676b930cc91466eda1151734e45916b2a17a54f36a0d848c524ae5805b9b64129c8e2ebcfa6

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
512KB

MD5
63bdbf16254fa16fadf8bbc1fc9e89f8

SHA1
b4d1369a9328248303902bedaf10e0df90f800ce

SHA256
3058639ef30bb04ab710bf695a31ec6ad5c9d1cd945b6c0866afaeb2c2132c65

SHA512
362b47ac955822551e4c9597243a04de5def1d07f05424c9fbddc477cffea8c4ffc8afc99ab4180f89c665e26c310276b69e645686cc91d2b9eac7f9fec5cd1b

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
512KB

MD5
3b46d576f5289df20fe0b9962f97fef5

SHA1
bab52169a78a51678032dff6c52e4363c3b2cfeb

SHA256
eda73750db716be176fb5aadc77837e0d605265a8cb38b847ceb6d36fb1e37ee

SHA512
7558107239fc8a745c2cb710b9198f263b98fd40ae6dffe370b3bcf26ca448529445c89718eec43dd80be2ae5fd393ee4bfbf4b1cc0772d36aff9ccef70cff8a

Download Submit
C:\Windows\SysWOW64\Cajlhqjp.exe

Filesize
512KB

MD5
199d1ddf3fd2a9aa775511638ab1ad9d

SHA1
1c9bf4f15088516452abe0f45bea89bd68ec7f00

SHA256
c0e27679e51e90336e423b243d1f6ee177ae858bd61548c58b08507d0c71912a

SHA512
af828ec49a2a8a5bb9f3b403c479c66bd29af2a8e4f180b8464967f6d0df3c137cac6c156aaa411329ec864a02e803d26c5398e32337eade4d8a9dbeeccae8f2

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
512KB

MD5
3c8e78764ea6575f07b530873e4fcb84

SHA1
e4759d46d600b9c8dabb1cc0ec271246dbe65552

SHA256
fbc792d5500e16dcb629bcdee5392d2ac976a67954aed60f80957bb50d07f275

SHA512
2b684900cab15605b01adcb6e89ff6b4ba4c1a16e56031a1a4fcb7216dd29cdd5eae45efb94a2dd52046f48ff936d717998a1f312d885a96332140e5f118de45

Download Submit
C:\Windows\SysWOW64\Cdhhdlid.exe

Filesize
512KB

MD5
cc964eea11d95b8dcac10f6fc04e50f6

SHA1
3ad151e10baf947473fb539da8d8212d8b4c7854

SHA256
ea447d4f619700303f16f0c0beaaff546b09b475fe9670a4f33816c1009b47ca

SHA512
ebc794a3a14d72bebeec497d5de379becaccbae656d40053c033ad30ccbc3c77ff139d230a33ab6973d53f760e9b3aea38ec155cc432651ce3c2d77e5b3a9fdb

Download Submit
C:\Windows\SysWOW64\Ceehho32.exe

Filesize
512KB

MD5
fa12487ff68e88bc54f2c1d24dcea037

SHA1
6d75b6e95a6bf1499ddfc044d365f31903c44444

SHA256
bbeb822908ec6c1ddeb4b5b3ec2da6e7f7859e9c30c25575c99b770a83a86f16

SHA512
996e30c3357498cddbf991ff5b57b48e30ca7810962cbb618e0692fb4072f4dffe84d5495c20293ee7a487244d26b74f66656c9617ede46a2fdbcb5a7de4a27d

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
512KB

MD5
a714fcb400dfe16e2b10e9eb0b562bb2

SHA1
2a6570133567237286c488f7a815b2a229879e6a

SHA256
a5de4bdb50cbd5a8260af894920576afa898c6f8e14a11cb49c342636fa95fc5

SHA512
1bcc0361212ed62390a2a51bf874bb2088fc685bef1a2f593da85d7d2d5db1817ba3491ccb21d2f503fe5fe946a78140a7da089f20c31ec407e890d538d326c9

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
512KB

MD5
68c0ba5efb22dfa767fff08b428c656b

SHA1
e33dc3640d07ff5e31387aa233d24bb5e4bc8cd4

SHA256
83e0d3cd0fa250298e2ee84e5e860295513d06142bdaa1fd8de38f3b4e8ece6c

SHA512
0d357081a731ad2eebd0cf4a8018bacb131da214a49588d12ab8f09c30a1f247de3aec30207c46121741038eb4b4da5e1518400b3635e676620591e344234e1f

Download Submit
C:\Windows\SysWOW64\Chagok32.exe

Filesize
512KB

MD5
4047ffc771135318c4ead3bc7ec051f9

SHA1
648f98e2fbf921de2a323632fad888c1edf1cdf9

SHA256
acd89bdd2f3ba6095505142b6613a9b67c92ae07d69ec6ae35dd31da8a68f103

SHA512
ee6b06deb16367fda4cc551d960123c5640c79e8fccd764098200d268fbc2311f89c24b766b586dd57e64a32fab1d016c6217e6d2279b4d5767e57c049cfa38f

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
512KB

MD5
7bb8e3dfb24a0e466c67a1efbac5e7dd

SHA1
1447db0a6c761319c42ba48452270b60d6f0f114

SHA256
aba17a1dce9fd697cdf9d2aac3d28cf73f29c8ac37672889b0a41db6cdedaaa8

SHA512
1db88919f4de562ca938f5e5eb5b7916ffc4b89427ae6311bc78ca5f0f94602190889536c65d48fa325c104f70232a69e7c44fd06cf67ca81f0744cdb69fdba1

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
512KB

MD5
db0fd9ec5d4b3d778d280f929709f2d1

SHA1
72cdd7e015f9b2fe0f42e4eb5f2d2044f6b76e5e

SHA256
19321d695cc61881d5c00d657cd0dc0f4efe13c3cc649ac7a282576f6633b9f7

SHA512
4bd978cee1726465501601a4ce7bcb4ccfe05f55727cf5651feac89ec8cf7624b6de3113a48ee61393f5114ecf8364a5a472072304a24b426099816e4d9cd266

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
512KB

MD5
f7a248b353a8f5234aec98f89b51f391

SHA1
babcc329925cb4de7f05328ca178629a6c31737b

SHA256
cc720a67c3424ab465b7ded78e4e375f9d859afecb3f88f059a9a9b4c0c70d42

SHA512
7643d1775085d3422baf0161492818ae34047265cfff9df5c8d20fc73c2cbe7b1ed44a9d21a5ddba9d58e0a4bf85d4d85fbf319c7a2cdb2faae5e2010afa5298

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
512KB

MD5
d9f73ff03dcefaf3a49b21c66d118140

SHA1
4165583e82a69ee401ebc2630c1356201fd69401

SHA256
8ae5471cc4e0ce9400b9f5f732f024295b4d86e47c15e548ffc608b3f99d9161

SHA512
2a4c7a49a7640bbb7313ce9dcb3faa649a639038a0ebfd45c9f43c08b89ba1f3b4a06c35195f0b2adac5536a8b65a568a4ec4d471070558618b65d559a36ef36

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
512KB

MD5
a66d29d3205bae8bec7545d8fa748636

SHA1
ed99c0c026ffc0d4fcade288b98815a3e8d65d38

SHA256
70084fab88b7fa8b639783c048003caa49292b9dbf845c2ec1f90fe82684b497

SHA512
92ef9cbdce7bbe12447a73efe04643001c46c6617cbc43ffeb5bd2d38d6f2d83ce657af3e3920e86857ce3e7e36b10bcc612e4011d0658cdaeedb9bf1601baa4

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
512KB

MD5
5dc936cb7f16734f9e6183b18e212a35

SHA1
c4adf1a4e6ae3a8e57b4a4ce587e776ef3b43f4d

SHA256
6b6b209f4b3bc905787ccf7682b792a744ec8a6e431c8e052d66ac19c3466397

SHA512
e87e59af0013e5be9fee67851d9b558039086ed7affec4c619aa6e5f89a104c49702d6d9b5efe2973375b37db2532058a62beb9fc0498d598c4fa4aeb71f9e4c

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
512KB

MD5
ddb3e718b0a52adab6c6fedc5e4f65e5

SHA1
a60118c44e2ec598b789c26eec7c28b746d997b1

SHA256
cc5ee3545ee8febb5b3ebe655997d2cea1fe23f5350cb82dce79ba58f92b0b9b

SHA512
1b2e85bbc8a40df701d1b2e0ef05000824f514fbbe31da4135c5da6f74e8617138a9926cb3e4d55d0a68dd022196977d2c040d43df6deb3be3864fc860905504

Download Submit
C:\Windows\SysWOW64\Cnkplejl.exe

Filesize
512KB

MD5
f6c2259b6ff15d5e80590d78981e5a94

SHA1
58411f936f46dd5dd246302cbe7035bd374a0ffb

SHA256
bf7de5e52d5ac84e77311f7f12de7808a8eb3783c65bc7243bfee6ffa2d1ec8a

SHA512
ed7c3e437b1a856e402c8488b9292e0e06d08714366fade993499ae3b8181a2638889779eee1f05169eb8ddd081e254b8f9af5366687c91dd58abb7dc9b047f1

Download Submit
C:\Windows\SysWOW64\Cnnlaehj.exe

Filesize
512KB

MD5
8109830fc424a82f56381a18612ed248

SHA1
fe9fe3e93253bc3887adf44fce2d59b4eb952830

SHA256
b6f9f90b03511ee1cfd8169b1284558c206227f9311292b3af4f13737764ce87

SHA512
951002d3830089d68d7e93c943c3c853107568e456ac0cad2b368010ed983ba2e87102e8225225efc5516a1ddcd1b34da8e4953d933c609955cef69e90645a23

Download Submit
memory/536-398-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-174-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/856-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/996-421-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-441-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1012-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1064-402-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1068-400-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-98-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1120-188-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1268-395-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-426-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1300-445-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-416-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-413-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1484-404-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-440-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1580-166-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1584-418-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1656-403-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-436-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1820-116-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-392-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-490-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1876-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-183-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1916-90-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2144-390-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-40-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2240-401-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2244-425-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-424-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-108-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2308-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-134-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2400-47-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2508-439-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2620-420-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2768-423-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3092-407-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3120-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-483-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3148-388-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3156-438-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3216-487-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3232-389-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3304-409-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3312-414-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-422-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-107-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3600-419-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3732-405-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-184-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4008-397-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4240-151-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4300-175-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-391-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4372-408-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4380-97-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4404-417-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4432-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-415-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4516-412-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4580-410-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-115-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4788-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4928-394-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4944-411-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4992-396-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-406-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads