fe1e3f5aa8f571bc996e936a1caf628e8f0102cd799569b3b70f9a9103298f10

Analysis

max time kernel
104s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/08/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7289377d58ab9003613f99e73201390N.exe
Size

96KB
MD5

b7289377d58ab9003613f99e73201390
SHA1

3d45e00fb0e900e367e1d67136d842e4fc4230f3
SHA256

fe1e3f5aa8f571bc996e936a1caf628e8f0102cd799569b3b70f9a9103298f10
SHA512

9d3f2d37da6b776842bce68bc95efbb1a5f840931d471af5a9f785cab76e1f1c9487fa41f58a30cdbc95dfa31bc0c7ec33979b0a390866dfb2f82596ffe5a5c2
SSDEEP

1536:/ml17lG2KOSOkxoRaTG+rF20L6GWd2Lzs7RZObZUUWaegPYA:/eR3KOs++BlWuzsClUUWae

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	b7289377d58ab9003613f99e73201390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe

Executes dropped EXE 63 IoCs

pid	Process
2604	Aeiofcji.exe
4668	Afjlnk32.exe
2352	Amddjegd.exe
1760	Aeklkchg.exe
232	Afmhck32.exe
1436	Amgapeea.exe
2640	Aeniabfd.exe
1576	Aglemn32.exe
972	Ajkaii32.exe
4724	Aminee32.exe
1692	Aepefb32.exe
5108	Bfabnjjp.exe
3208	Bnhjohkb.exe
4964	Bebblb32.exe
3232	Bganhm32.exe
4732	Bnkgeg32.exe
3008	Beeoaapl.exe
4436	Bgcknmop.exe
3156	Bjagjhnc.exe
2148	Balpgb32.exe
2844	Bgehcmmm.exe
4028	Bnpppgdj.exe
4148	Beihma32.exe
4948	Bhhdil32.exe
4988	Bnbmefbg.exe
748	Belebq32.exe
4336	Chjaol32.exe
4068	Cjinkg32.exe
2724	Cmgjgcgo.exe
532	Cenahpha.exe
2040	Chmndlge.exe
2932	Cnffqf32.exe
1996	Caebma32.exe
3164	Cdcoim32.exe
2740	Cfbkeh32.exe
5092	Cnicfe32.exe
2904	Cmlcbbcj.exe
4644	Ceckcp32.exe
4440	Chagok32.exe
4956	Cfdhkhjj.exe
1076	Cjpckf32.exe
3144	Cmnpgb32.exe
1260	Cajlhqjp.exe
3712	Cdhhdlid.exe
3776	Cffdpghg.exe
392	Cmqmma32.exe
3440	Cegdnopg.exe
2128	Dhfajjoj.exe
4900	Djdmffnn.exe
4332	Dmcibama.exe
4876	Ddmaok32.exe
1252	Djgjlelk.exe
4664	Dmefhako.exe
2108	Ddonekbl.exe
3484	Dkifae32.exe
4368	Dmgbnq32.exe
1748	Ddakjkqi.exe
4468	Dfpgffpm.exe
1672	Dogogcpo.exe
2028	Daekdooc.exe
4460	Dhocqigp.exe
3264	Dknpmdfc.exe
1516	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1284	1516	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7289377d58ab9003613f99e73201390N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	b7289377d58ab9003613f99e73201390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	b7289377d58ab9003613f99e73201390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	b7289377d58ab9003613f99e73201390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	b7289377d58ab9003613f99e73201390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feibedlp.dll"	b7289377d58ab9003613f99e73201390N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3652 wrote to memory of 2604	3652	b7289377d58ab9003613f99e73201390N.exe	84
PID 3652 wrote to memory of 2604	3652	b7289377d58ab9003613f99e73201390N.exe	84
PID 3652 wrote to memory of 2604	3652	b7289377d58ab9003613f99e73201390N.exe	84
PID 2604 wrote to memory of 4668	2604	Aeiofcji.exe	85
PID 2604 wrote to memory of 4668	2604	Aeiofcji.exe	85
PID 2604 wrote to memory of 4668	2604	Aeiofcji.exe	85
PID 4668 wrote to memory of 2352	4668	Afjlnk32.exe	86
PID 4668 wrote to memory of 2352	4668	Afjlnk32.exe	86
PID 4668 wrote to memory of 2352	4668	Afjlnk32.exe	86
PID 2352 wrote to memory of 1760	2352	Amddjegd.exe	87
PID 2352 wrote to memory of 1760	2352	Amddjegd.exe	87
PID 2352 wrote to memory of 1760	2352	Amddjegd.exe	87
PID 1760 wrote to memory of 232	1760	Aeklkchg.exe	88
PID 1760 wrote to memory of 232	1760	Aeklkchg.exe	88
PID 1760 wrote to memory of 232	1760	Aeklkchg.exe	88
PID 232 wrote to memory of 1436	232	Afmhck32.exe	89
PID 232 wrote to memory of 1436	232	Afmhck32.exe	89
PID 232 wrote to memory of 1436	232	Afmhck32.exe	89
PID 1436 wrote to memory of 2640	1436	Amgapeea.exe	90
PID 1436 wrote to memory of 2640	1436	Amgapeea.exe	90
PID 1436 wrote to memory of 2640	1436	Amgapeea.exe	90
PID 2640 wrote to memory of 1576	2640	Aeniabfd.exe	91
PID 2640 wrote to memory of 1576	2640	Aeniabfd.exe	91
PID 2640 wrote to memory of 1576	2640	Aeniabfd.exe	91
PID 1576 wrote to memory of 972	1576	Aglemn32.exe	92
PID 1576 wrote to memory of 972	1576	Aglemn32.exe	92
PID 1576 wrote to memory of 972	1576	Aglemn32.exe	92
PID 972 wrote to memory of 4724	972	Ajkaii32.exe	93
PID 972 wrote to memory of 4724	972	Ajkaii32.exe	93
PID 972 wrote to memory of 4724	972	Ajkaii32.exe	93
PID 4724 wrote to memory of 1692	4724	Aminee32.exe	94
PID 4724 wrote to memory of 1692	4724	Aminee32.exe	94
PID 4724 wrote to memory of 1692	4724	Aminee32.exe	94
PID 1692 wrote to memory of 5108	1692	Aepefb32.exe	95
PID 1692 wrote to memory of 5108	1692	Aepefb32.exe	95
PID 1692 wrote to memory of 5108	1692	Aepefb32.exe	95
PID 5108 wrote to memory of 3208	5108	Bfabnjjp.exe	96
PID 5108 wrote to memory of 3208	5108	Bfabnjjp.exe	96
PID 5108 wrote to memory of 3208	5108	Bfabnjjp.exe	96
PID 3208 wrote to memory of 4964	3208	Bnhjohkb.exe	98
PID 3208 wrote to memory of 4964	3208	Bnhjohkb.exe	98
PID 3208 wrote to memory of 4964	3208	Bnhjohkb.exe	98
PID 4964 wrote to memory of 3232	4964	Bebblb32.exe	99
PID 4964 wrote to memory of 3232	4964	Bebblb32.exe	99
PID 4964 wrote to memory of 3232	4964	Bebblb32.exe	99
PID 3232 wrote to memory of 4732	3232	Bganhm32.exe	100
PID 3232 wrote to memory of 4732	3232	Bganhm32.exe	100
PID 3232 wrote to memory of 4732	3232	Bganhm32.exe	100
PID 4732 wrote to memory of 3008	4732	Bnkgeg32.exe	102
PID 4732 wrote to memory of 3008	4732	Bnkgeg32.exe	102
PID 4732 wrote to memory of 3008	4732	Bnkgeg32.exe	102
PID 3008 wrote to memory of 4436	3008	Beeoaapl.exe	103
PID 3008 wrote to memory of 4436	3008	Beeoaapl.exe	103
PID 3008 wrote to memory of 4436	3008	Beeoaapl.exe	103
PID 4436 wrote to memory of 3156	4436	Bgcknmop.exe	104
PID 4436 wrote to memory of 3156	4436	Bgcknmop.exe	104
PID 4436 wrote to memory of 3156	4436	Bgcknmop.exe	104
PID 3156 wrote to memory of 2148	3156	Bjagjhnc.exe	105
PID 3156 wrote to memory of 2148	3156	Bjagjhnc.exe	105
PID 3156 wrote to memory of 2148	3156	Bjagjhnc.exe	105
PID 2148 wrote to memory of 2844	2148	Balpgb32.exe	107
PID 2148 wrote to memory of 2844	2148	Balpgb32.exe	107
PID 2148 wrote to memory of 2844	2148	Balpgb32.exe	107
PID 2844 wrote to memory of 4028	2844	Bgehcmmm.exe	108

C:\Users\Admin\AppData\Local\Temp\b7289377d58ab9003613f99e73201390N.exe
"C:\Users\Admin\AppData\Local\Temp\b7289377d58ab9003613f99e73201390N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3652
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\Afjlnk32.exe
    C:\Windows\system32\Afjlnk32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4668
  - - C:\Windows\SysWOW64\Amddjegd.exe
      C:\Windows\system32\Amddjegd.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1760
      - C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4148
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4988
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3164
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4644
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3712
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3440
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4332
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1252
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3484
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4460
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3264
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 396
        65⤵
        Program crash
        
        PID:1284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1516 -ip 1516
1⤵
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
97ab40a74a92d26f2d75e8c2a6850506

SHA1
d3c88ab32d977f6acae8a42d474c1652902d541a

SHA256
bec95fb4a5f670bb5636c30c53db3aff9db025a682c8687fffc2ffe189aad336

SHA512
bdc18d77b31d21cb50601da924ecefb6a25f9468c6a876f951a984cb7986391ef0c40b8233c77fc248156430d093296a8b8dadcbc4522c778643a8bdeb2cca16

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
96KB

MD5
f9e14df72900fffc91484360bd9da25a

SHA1
157b41c3ff9409e9c21a69177ffe9735b332808c

SHA256
06405b0b4039b307dfac1459e16132a9e9a4381684d7acc25fbf332a1af12f68

SHA512
ad4464ca44b699e9a9ee74e4daa490ce5e2b7ac12e65d154f6cdd1dc9a8266390e2cc03e71ab3d0a402439ec8db8a035f1916fa150aec1f19cf10118c2ae5b0a

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
96KB

MD5
d0b15d2da3403df743251483cdf2f7af

SHA1
a9610db63dfd0c537140fdb3ce3214cb1180167a

SHA256
3c0bc85551c602b8c883e068d2ae9445cadbaf578bac54f0a52542a69d1a697c

SHA512
fe1cef96b2fef012dda2c68e791e8fb2fcca17e86e3ad960009b0e1a68427cc1aeb37128dda4d382a227c15c5277936865662feaff089b2bf7f414da5229049e

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
96KB

MD5
c8e2ed370104fa7cacacd4c1e74d2b6c

SHA1
4a6d2e239c95ccc79762f8bdd53ceb7155734264

SHA256
39c4d2e70b98ebd15d5acb60452afd916de7d3cf8b94025490b451b0610c75a1

SHA512
1ec03a50af3e8352c10b391464be8c0b9cf8948ccf1410d45ca860921dbbb6c6d7c3a71653eb97893007ee8e7a5592200d5d41cc07413ed54e190b2377e5d134

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
96KB

MD5
ee241dcf9bb188bb18ee04c0789ce81f

SHA1
8bdd95da4bc808f3395535c73af5d986a8d4ed68

SHA256
089d282ee7efad9940acdc58d836e4d05699dac19b5f7f0e55be95bda1bb7735

SHA512
5e0132bd94d5a0fceb6e10a6bb9874898422fbbe8a1a237d240d1277eec5f866db2096f41463be68b230c8264bf691565ff5d9d1607cf55511eec45738d4bc62

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
96KB

MD5
c403a7a160880cc6cfbadd86f99e7471

SHA1
3bce78fbefc4a5e36cedb680a775c83af28c4f97

SHA256
b4bf7a2974a3295b9de74c791c11d8443551939c67d0a14b3b48cc531fcc5943

SHA512
b83547639943c94f33a02dff513e277f31fead7af4b616daa6bcfe5a0b1d53a787c8387e09a7c06d5b828bcac5bcd4e469e5550946434e0a2dd0fadba34ba590

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
978eba187672e410556bd791fcb8e8e0

SHA1
423958dbef46ba14346c6d6797d2dd8aede43600

SHA256
6f5ce5dff19d7ccd8573a7fe1c3bf011436ae9e1552ce342545b518bca520683

SHA512
a05ac7d8d7a5d8dfed4bb28a6f7683ee0102a2ffb821c0011b590e73ebcdbaa317dc7426a847ee5e7bce7375ad74b2db4ffc55a88429d3202bc7dec2c5c219e0

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
d2d50a8d894526397c7ae6f00a1e3430

SHA1
18b63f9ca642cc8309c5871e281a4cb6c2b975e3

SHA256
f41d54088d445d451b48d12c665bbe1d86a2d5604b2880cc085e490e46b87817

SHA512
9d364faed23414bb679d121619c9038c435fe78b608b839f2b8f00dc8a67cf565cf881a98a047b175ae41ba8bbb231efc61dc2b6c641a76e68e17f073204a291

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
96KB

MD5
bc8e55d3aaadbc64147c55675bcaabf8

SHA1
13065986e582a059d280d90d2e3368d9a3811d6c

SHA256
9ee2d5488118119f9ceec0b366bcffdc9e6a4c6241a2acdbeffe46bcacd7358e

SHA512
dfd397aea41ed5637f70baa842031cc21a2d9e0ef58bfda5bc45f1ef31d841b02d564c69e5b7d420560b5831667ee285c0653a3bc3457052049c70911951a04d

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
96KB

MD5
2df088d4c8612aca00bd7b1c380ca6ae

SHA1
e8132c496e4a59434f4539b29a02aae04c7a75ef

SHA256
c909f316d3bdb78897a2daf85dce537a45da393220ab510a83523fceb6684196

SHA512
ff535813ea15f60a170c9a39bf7033378f84a4c816f23d497bad6effcf6ae5bac2d772df61d4e9651be0262c4bb3cec5d30c7a8136f7ba6c36d2252b2d60cfab

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
96KB

MD5
b8378db8befe1f91969f3c5bdc45ea79

SHA1
866c34d5bc1ced125075bb798fa76c3db7adf5ac

SHA256
5ed6d135e4b22162d902c647b947788b90d467bca04abf5ac6a3fdf8eaf19a65

SHA512
ddb3a5f7376b9422e581f8d4e69d33c9fbf177e1364428886baf3a929dca1a797a0309c977a88b33b2d4ef0a36214329e488b0d3b011335cb6d44990aa60d0ac

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
7ca0ac67ee8635caae19a646cfa317e5

SHA1
6245677514a4e0a20d8c318eb26e10c2f20480c5

SHA256
692eaeda92758555903aeb446291682ae3eda28effe16d051dd2f9e3a2176656

SHA512
5c0d631f31ae5d2de77dcac5e72b93bc4dea1372956e9ae722dd6f66f1f27f189b4843a567210adac7980fc16f91566fd8b7bbf6d901247da6972f9c68deacaf

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
96KB

MD5
91961045d82cd323766a2bcdb3d914cf

SHA1
ddfcd3f2d9964356e0be036a97aadeb58792d39e

SHA256
2bc2f1a2546977391e9acda2bc0703db7b1e930d373f93557eaff7f705354612

SHA512
6db24851a92893312c03f522e3ad737a219ec4fb682343a685a155760cc1d5999de8bf2dc6076c1227c786e1f2a2b6be6542f1a21dcd62083d8fa3db5b0451b6

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
96KB

MD5
338c0538674827fd6f357e2e63f7227a

SHA1
42a1d5b38a7d2e26cb9b289fc1d2b64407973a8e

SHA256
a2d7a2261e2a534f03db536b7c0bd915267b197acd9958369019e47584316c7e

SHA512
a4cfdf9289e9da144c3d03fca785c4265e386549c88ca4871ee896e15047a0db1eebf1d95550250cebfcb5fa0a7a9605e2460aebbf8b08a5e75597705c01fd96

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
1a35423f27dae7941fc5d4b4cfd23e87

SHA1
0a3e5e6f1c38b9292c02105179dc5788f00ba578

SHA256
4db2ee0089908a06ad7de2eb1b932d86135f318b05c80fe8585ab91c4856369d

SHA512
403f8e968ccb64363754b3993d4217de5471e28b2f113b45cafb2f6d041a5c164a8cc42c1ded41315abbd7d8ffff27177c1ebdccd0c1e86e6b1d2d22f8f23185

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
96KB

MD5
e566d63ad6b5c81c20d654af0e81cc63

SHA1
4cb6bb72b54516a8ef2b8f7ff870636d089db56d

SHA256
4b57c278933c581f1102e285ad353a397601de1d11a8b2422177f7e745098a00

SHA512
9b9bbb7e050a9349fa40d49a8b609d5277ef2167291e5808301ba122ce7fc2008f3c4449e69ac1f06174234dfd3a3f9344d3470074c91c9a218fc232a087a174

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
96KB

MD5
c517a6fca13de8028c27d0e19f32eb4d

SHA1
fe99ee6b2c53f967556688f87789de2e7996e980

SHA256
1df938ee88dc18b7b95cce8efe4311fd3157f59844492fd4516edab0cc668d6a

SHA512
6399ad894bdf923bf58258c2ec3c88937b8aa7c56ba1dc303aa97831dcd7524903ffa6bd813da34172f26f4493082f1a888f1cd44e6ed39e2077302c0f39cdaf

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
96KB

MD5
f1fee9ead1609d7fcfdcce6b0a0ff761

SHA1
479f3a38ff640cb15b750b3639a9d345a915cab4

SHA256
fe0f3a8e8b4f0ccebbb73a12959a794159463b586de873213ded0ff6c4665737

SHA512
99d2775a3fe9f933ead788575204aa143c98ad94e2fb8b18c182624497a4a45aed80af58021a1530322fc843a87499ee0db62f05acd94da2077e8088033b31d7

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
96KB

MD5
f2ed7ec09d767184078163a6298c5185

SHA1
d7cebe8b06a6ab7cf4f8bae8ce12a27f49f4d3b0

SHA256
eabe34672a4aa158f9a88918c7dce77ebdfd9a2aed56b54eea656807f3f454c6

SHA512
73a23477e2f963a15d8f471ee3f561acf364a051e9c1720bb180f90c5205fd5363b0f1bf1e6a2eb12441f2b7b251ce8c53091ffae78e9795c5d18c13c8a866de

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
96KB

MD5
7a0146c13783372cadf3b70dfaca0311

SHA1
fda7ebdbd49dc3096bfef764c3f012a5b6fa758f

SHA256
15682075c64bf6186004ac27dea1627b7e259d27664572499de0231c151e04b6

SHA512
a938920500423f1f75f80164c83541134451f53127b974a710e4cf2d835af483fe8f9a8a010c32076bcc25d2af790afe06eaaa5c9a05a95529b40ec2ea0b49b6

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
96KB

MD5
f387658314a3353b3b4129cb1670bf1b

SHA1
7b434e0d8a9ce1613dd47d26e9946290490e22bb

SHA256
787198fb694ced72b267281f780ce2fe9dfb5faaee16c4f26dff6ee6e852d8d8

SHA512
dbec91600d901e5596ae486412e1e45fb4df825a5ca580dbfab567889e6974c5b6586fe1396b8f92e03b756884d4b5c558365f4b8a85528c935991e0f47ccd3c

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
18d43915eacba8b32202a31b63515176

SHA1
9bab913ad74f8a2eefb82d2dfa9e1948fa74d52d

SHA256
652346fb9705dbc9ca3549fab9d4721ed24ead9c7c52d8f6e49c2d56082d3f33

SHA512
d1f7bf5d2c242e203e56f144984eb7612081b1f200eb3e29edaaec87a58df8a2c27e4346ba07483b1407805c21167af6108ed59cbb0b11181c91fb704ab50087

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
96KB

MD5
20d5a261b7d2b1f3ec5b9ec1cd64b232

SHA1
b3ca8293c282892241f3770fcf8bb51b66f25431

SHA256
42f0c08fd56f46f2147c3e013aa83d045db2488a757dc8256d8ad17224cec73a

SHA512
a8da45423dd66cde6e4f4fa69bb801f0617402fa8ebec497ad0e3c983e28a44f621a2ae966d03236378b7f5a2946e2a40e257a36d75bb3f401e169eab9d6d353

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
96KB

MD5
0f607468a99628b5582efb18ee12163a

SHA1
2b58e47c9ef144a503569d9e7ffb33bdda4a0cbb

SHA256
9387cf9f8155b6ca8d7b706e051cf85a2892c2cb9f540da097746ade4d9c59cb

SHA512
995dbee048c5a585999ad534cbfa13575a81df2e5fdbdd1da097db1b428b14e8b8130f5f93100535190353414e24020ad28efd7423a17b74647fc810db49eccf

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
96KB

MD5
5b934877b6f9e5c99c0519ea7e27dc64

SHA1
42c802d313a58a099196a3fe3beb298ccf39d807

SHA256
158d2ad21ece4fdd6e7d7703c1a4dee387f647f3ba49ecc8588ad99f0b947e81

SHA512
7f7bb336ec6bb6430de4e390fa325c95fbfc20c8f158c11867e36679cdf418ac3804cede17e9043d96887cc703ba25abfd120c72a3b7d2dcaddcadde4ae1399c

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
5e057300c97ef6af709aca704b65d86a

SHA1
686e40b9b9d1cbe113449529eae5f3548487de50

SHA256
597bd803fc6515088ce14d183e6d58b0f89d67db8953b08a511f0d2d25a391f6

SHA512
4d4e052c6a123bec754fb01a1f95bea67f0ea11925491a1a0895c654bbb02c9ed2d75e047feba4eda29dc3a191c2ebc03d35f5d75b5fc770b43d87d57b443b19

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
96KB

MD5
fffd1569c7712523558c0fb0f0e77788

SHA1
3f9cf5ecb76de1b6b993c7f4c297357eb9881bc0

SHA256
58a405a54aaab9789c5d364bad01693b78f90ad044ec60b19912358eba9bec8f

SHA512
dfb219be5b81cf1cdeb356d2d410a1992ca4ad99c200dadb5359be47a8dd12c3e181bdf4c9caecc8be0b6313cee11198e37d9ef503c8f5fc33bf63a91af8e664

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
96KB

MD5
52172743b6d07fdcc49ed33df1b3c1f4

SHA1
24980c56ba1524640377f41682cc4c7272eb6e22

SHA256
8f79235221d0e3b7c12ac27e29fda075e87d070e1b6127f5593eddce9943942d

SHA512
c1ff6a1a8c6b45e5ea446eec6eb1142e88bd3cb072df957d5a7a6b05b4cc715ab49c3b879e069c48b1667b073cba574d8acef16b045f9c0b173346630d22e380

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
96KB

MD5
beb57f4ebc4427ceffc1887152f20355

SHA1
118e526643427abc1e9e894c05b6860b4269c907

SHA256
f313adef890e7b001ed5374fd5364cc25c53c87db6f882b3a68fb4b95890b139

SHA512
f05390fa77e1e91ff56871d595d495e99e9304b505b86363a48338392f0d80c32979e40e2264a78625af02ed9ff4a412d53813f4a46886b01a3d63da6a128a19

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
96KB

MD5
92ebf4bf36104c8ebe8c9e90e98e81db

SHA1
acca635fd7e5ca852bce32712f93da63bc6a631f

SHA256
09e397fe51b320d104f42fa232673089b5cbf65b2e582ce281434e47b71e2720

SHA512
f3d85408d49d9fb724dada1b8357d26bce8d9e5858b4b88feb381dba82223ff872914adba984acf1a44c9e1d62124874997be35cb5a268a2c0354cc65cb2982a

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
96KB

MD5
1ee0f1f9bd9c55586e990aa843b18c5e

SHA1
8f1641079ed8ac77d7dde4e8c7a507202af990ba

SHA256
7996582dece23a983539993aae6eb6c5a5ab28644fad35bf1f80bb479e43aae8

SHA512
fc6056a68ca233138fd11f9f8016ec5023b85f67148b400d4641f568eacae56a3112b27076ce532b3c3db8e3e973ebbaed92b839a8e98c597509c117e1e16b5a

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
96KB

MD5
5f13c281abd1e2f1a7fa4de6e7a4379f

SHA1
44ca919080575b3b6e9cf18dd43c5bfc53609964

SHA256
54716f176648448c6754ff185db070c8744acfbea8e7b17916518e5b09085297

SHA512
779216728e5fc432ee776b24a31c8ac52d11d73d637b59bc4d25d97d8ad270d6e43af6491fd2c2731548fcae74396c30d5f1fa8a4cd699c216c6a76f84781f0a

Download Submit
C:\Windows\SysWOW64\Ddonekbl.exe

Filesize
96KB

MD5
c90eabab5ba4fd2a6f16eaa95224ddb3

SHA1
3f5429fa3f60b1d52be5fb35a066d171677ee33c

SHA256
844168ccc87d2b4e913e80d6d40b80a8daab1dfe8cd8d82f6280f0359c40f2dd

SHA512
539a1c584ce11d69baf6703a79ce9d1f57ac240703ec9708f14d49e23dd141f4770299e55119faf5ca950ad815e84011dd02ef58e1f3523bd0040e17adb301d4

Download Submit
memory/232-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/392-345-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/532-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/748-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/972-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1076-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1252-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1260-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1436-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1576-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1760-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1996-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2028-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2040-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2108-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2128-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2148-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2604-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2724-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2740-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2844-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-291-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3008-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3208-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3232-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3264-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3652-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3712-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3712-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3776-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4028-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4068-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4368-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4440-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4644-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4724-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4732-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4948-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4964-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4988-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads