cf44765b1362895c2c15e2626b6c0118b6dde3e98ab17ead5cb33318bab5b15d

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0656bbbe239bdf652205c63667a32f30N.exe
Size

93KB
MD5

0656bbbe239bdf652205c63667a32f30
SHA1

2d2218d00330b71569555410ee0189c17abc6096
SHA256

cf44765b1362895c2c15e2626b6c0118b6dde3e98ab17ead5cb33318bab5b15d
SHA512

ed776a499a4bbea4b30425d78a05e85753939568609da775dec3992ca348165f0a41de7ac50f23b154251f0437f487c30a64d5a07b6f5528f7ac3cd960bda2c8
SSDEEP

1536:6LY4KDFdvUg5uRsIhnV28uDkagbQuNm3S9/gvmWJ583saMiwihtIbbpkp:6LRGFJUGIhV2JDro43Pvh5odMiwaIbb+

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	0656bbbe239bdf652205c63667a32f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe

Executes dropped EXE 64 IoCs

pid	Process
3140	Qjoankoi.exe
4364	Qddfkd32.exe
3956	Qcgffqei.exe
1268	Ajanck32.exe
672	Anmjcieo.exe
3108	Acjclpcf.exe
4116	Afhohlbj.exe
3952	Ambgef32.exe
1388	Aeiofcji.exe
4056	Agglboim.exe
2024	Anadoi32.exe
2440	Aeklkchg.exe
2668	Agjhgngj.exe
1512	Ajhddjfn.exe
4756	Aabmqd32.exe
2640	Aglemn32.exe
3968	Ajkaii32.exe
892	Aminee32.exe
3576	Accfbokl.exe
3364	Agoabn32.exe
4168	Bnhjohkb.exe
1688	Bebblb32.exe
2644	Bganhm32.exe
2064	Bnkgeg32.exe
936	Baicac32.exe
2816	Beeoaapl.exe
2700	Bffkij32.exe
4068	Bmpcfdmg.exe
4468	Beglgani.exe
3356	Bfhhoi32.exe
3480	Bnpppgdj.exe
3000	Beihma32.exe
4752	Bclhhnca.exe
720	Bjfaeh32.exe
436	Bmemac32.exe
2752	Bapiabak.exe
4684	Bcoenmao.exe
2280	Cfmajipb.exe
2612	Cndikf32.exe
2688	Cabfga32.exe
3100	Cenahpha.exe
1588	Chmndlge.exe
112	Cjkjpgfi.exe
1720	Cmiflbel.exe
2220	Ceqnmpfo.exe
388	Cfbkeh32.exe
4320	Cjmgfgdf.exe
452	Cagobalc.exe
4020	Cdfkolkf.exe
4780	Cjpckf32.exe
2012	Cnkplejl.exe
3988	Cajlhqjp.exe
1172	Cdhhdlid.exe
3448	Cffdpghg.exe
2976	Cnnlaehj.exe
2864	Calhnpgn.exe
2444	Ddjejl32.exe
4860	Dfiafg32.exe
5076	Dmcibama.exe
4272	Danecp32.exe
3932	Ddmaok32.exe
4788	Dfknkg32.exe
3180	Dobfld32.exe
4912	Daqbip32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Qddfkd32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Qcgffqei.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Qopkop32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bganhm32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	0656bbbe239bdf652205c63667a32f30N.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	0656bbbe239bdf652205c63667a32f30N.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5156	2416	WerFault.exe	160

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0656bbbe239bdf652205c63667a32f30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kboeke32.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	0656bbbe239bdf652205c63667a32f30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 3140	1648	0656bbbe239bdf652205c63667a32f30N.exe	84
PID 1648 wrote to memory of 3140	1648	0656bbbe239bdf652205c63667a32f30N.exe	84
PID 1648 wrote to memory of 3140	1648	0656bbbe239bdf652205c63667a32f30N.exe	84
PID 3140 wrote to memory of 4364	3140	Qjoankoi.exe	85
PID 3140 wrote to memory of 4364	3140	Qjoankoi.exe	85
PID 3140 wrote to memory of 4364	3140	Qjoankoi.exe	85
PID 4364 wrote to memory of 3956	4364	Qddfkd32.exe	86
PID 4364 wrote to memory of 3956	4364	Qddfkd32.exe	86
PID 4364 wrote to memory of 3956	4364	Qddfkd32.exe	86
PID 3956 wrote to memory of 1268	3956	Qcgffqei.exe	87
PID 3956 wrote to memory of 1268	3956	Qcgffqei.exe	87
PID 3956 wrote to memory of 1268	3956	Qcgffqei.exe	87
PID 1268 wrote to memory of 672	1268	Ajanck32.exe	88
PID 1268 wrote to memory of 672	1268	Ajanck32.exe	88
PID 1268 wrote to memory of 672	1268	Ajanck32.exe	88
PID 672 wrote to memory of 3108	672	Anmjcieo.exe	89
PID 672 wrote to memory of 3108	672	Anmjcieo.exe	89
PID 672 wrote to memory of 3108	672	Anmjcieo.exe	89
PID 3108 wrote to memory of 4116	3108	Acjclpcf.exe	90
PID 3108 wrote to memory of 4116	3108	Acjclpcf.exe	90
PID 3108 wrote to memory of 4116	3108	Acjclpcf.exe	90
PID 4116 wrote to memory of 3952	4116	Afhohlbj.exe	92
PID 4116 wrote to memory of 3952	4116	Afhohlbj.exe	92
PID 4116 wrote to memory of 3952	4116	Afhohlbj.exe	92
PID 3952 wrote to memory of 1388	3952	Ambgef32.exe	93
PID 3952 wrote to memory of 1388	3952	Ambgef32.exe	93
PID 3952 wrote to memory of 1388	3952	Ambgef32.exe	93
PID 1388 wrote to memory of 4056	1388	Aeiofcji.exe	94
PID 1388 wrote to memory of 4056	1388	Aeiofcji.exe	94
PID 1388 wrote to memory of 4056	1388	Aeiofcji.exe	94
PID 4056 wrote to memory of 2024	4056	Agglboim.exe	95
PID 4056 wrote to memory of 2024	4056	Agglboim.exe	95
PID 4056 wrote to memory of 2024	4056	Agglboim.exe	95
PID 2024 wrote to memory of 2440	2024	Anadoi32.exe	96
PID 2024 wrote to memory of 2440	2024	Anadoi32.exe	96
PID 2024 wrote to memory of 2440	2024	Anadoi32.exe	96
PID 2440 wrote to memory of 2668	2440	Aeklkchg.exe	97
PID 2440 wrote to memory of 2668	2440	Aeklkchg.exe	97
PID 2440 wrote to memory of 2668	2440	Aeklkchg.exe	97
PID 2668 wrote to memory of 1512	2668	Agjhgngj.exe	98
PID 2668 wrote to memory of 1512	2668	Agjhgngj.exe	98
PID 2668 wrote to memory of 1512	2668	Agjhgngj.exe	98
PID 1512 wrote to memory of 4756	1512	Ajhddjfn.exe	100
PID 1512 wrote to memory of 4756	1512	Ajhddjfn.exe	100
PID 1512 wrote to memory of 4756	1512	Ajhddjfn.exe	100
PID 4756 wrote to memory of 2640	4756	Aabmqd32.exe	101
PID 4756 wrote to memory of 2640	4756	Aabmqd32.exe	101
PID 4756 wrote to memory of 2640	4756	Aabmqd32.exe	101
PID 2640 wrote to memory of 3968	2640	Aglemn32.exe	102
PID 2640 wrote to memory of 3968	2640	Aglemn32.exe	102
PID 2640 wrote to memory of 3968	2640	Aglemn32.exe	102
PID 3968 wrote to memory of 892	3968	Ajkaii32.exe	103
PID 3968 wrote to memory of 892	3968	Ajkaii32.exe	103
PID 3968 wrote to memory of 892	3968	Ajkaii32.exe	103
PID 892 wrote to memory of 3576	892	Aminee32.exe	104
PID 892 wrote to memory of 3576	892	Aminee32.exe	104
PID 892 wrote to memory of 3576	892	Aminee32.exe	104
PID 3576 wrote to memory of 3364	3576	Accfbokl.exe	106
PID 3576 wrote to memory of 3364	3576	Accfbokl.exe	106
PID 3576 wrote to memory of 3364	3576	Accfbokl.exe	106
PID 3364 wrote to memory of 4168	3364	Agoabn32.exe	107
PID 3364 wrote to memory of 4168	3364	Agoabn32.exe	107
PID 3364 wrote to memory of 4168	3364	Agoabn32.exe	107
PID 4168 wrote to memory of 1688	4168	Bnhjohkb.exe	108

C:\Users\Admin\AppData\Local\Temp\0656bbbe239bdf652205c63667a32f30N.exe
"C:\Users\Admin\AppData\Local\Temp\0656bbbe239bdf652205c63667a32f30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\Qjoankoi.exe
  C:\Windows\system32\Qjoankoi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\Qddfkd32.exe
    C:\Windows\system32\Qddfkd32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\SysWOW64\Qcgffqei.exe
      C:\Windows\system32\Qcgffqei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3956
    - - C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:892
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3576
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1688
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2064
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2816
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4468
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3000
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:720
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2280
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4780
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2976
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5076
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        66⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1820
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3328
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        73⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        74⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 408
        76⤵
        Program crash
        
        PID:5156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2416 -ip 2416
1⤵
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
93KB

MD5
0bd2fca2e0ecbf7bc101df465c9add19

SHA1
8561a6b79cd6138a59602327d9c94cc64567e5d0

SHA256
53471a2487f94edbe0cc71ca34e00df5749a6f161c48db441a3571337327b97f

SHA512
264fafc6ecae38c063e674e0975a77d1392172945c842c9903d1e6d9fafb3016a3f0e75144b2e9b508013551c65f58a002418a598d93c42bcacdbf7137fb5c2c

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
93KB

MD5
90e958958f2b1abfd261c4094ba8b376

SHA1
6d4cf11820275808387040de21a4b12787ea72ed

SHA256
cc8229cb899c8fdd70c1356fb0bf778662d58d534bd64f1b02600e9f259803c5

SHA512
8a7caa24e3fd3b82915a2b87bbaf929bcde7e943a03ff2508662c583a25aa41af3581993aca75205c8e652da2c98485e316f75126d12a0793850768c087a3248

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
93KB

MD5
3dae439f52eabe4c406b9c99e588fbd9

SHA1
c9b0c6c261701578dcdca922969d0078924f35f9

SHA256
7c8f198876327aa0100716b8fe1a6616353f3faade5416c0a22f00b5c6548e0e

SHA512
faeb4eac52a86f954afd3ce534eb14b78b6f715bf850e3dfebf938bd9ffea5d9cf10f8f0ec98f2344752b994ce1d2ab581fd887fe33868b7e753529a4dbc9113

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
93KB

MD5
3777b72c3dcdb4fa56c72a286cc22cac

SHA1
477615ada1c5ada1496f0d1bc0c779035ce1639b

SHA256
944e5cc73c1bc916586273a651e152b5809fcdb47a9324944f42616ed1c7b8fc

SHA512
0b5b038cf30a4577dd8c55389d7d9546929630a47f2f6e1ac52d1679b12b8117907433a617bcaa3429003895ccf11d0ba0c6368e12d4dd9b76f98d2e5cd66537

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
93KB

MD5
0ac89cca987361b07a016435e49aaa37

SHA1
735e1313827bc6d7e4abfe0208995d2d63f0a09e

SHA256
e49621e5749ab0b34ea97530a90982cca3a4611c7afd532f590468ec6c4e26e6

SHA512
2cb912abc8f07b5e2028a5c16a10c71df49a37a0e03762a521527d0c2bc732e31487a29d9928ead12c7a88fef33a883c6ab09507817f9f05b32ae28cdb90f3ce

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
93KB

MD5
805fc3283684349d7146f7aa14438d18

SHA1
bc01f189caa4367b6762000a0cfaaf5de4080d4b

SHA256
78d0dbb94d0b139f62c4641fa5e7699c76309a37db6250cc335f80ea13ae3696

SHA512
c1df607b895ad35d88472c1b40f6412aea0b492743923e3b201e3b964ad34b2686e8a5f69e4b9f85bb0cd1a15d94a78ac91606ba45a401ac122fadb8cb9e22eb

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
93KB

MD5
63965740b66dc71c3b3abcb5273e6cd7

SHA1
a3e37369fc6123fab33535e4b639630dbe562154

SHA256
ed38984c633823d08ffb2c5b2c4c63bf7e094d7943e73d56efeac30c23826e6a

SHA512
4386410e4e5babebf2481d4858074f0f0ed54dc23dcd26a5e292b6c0d730558028074fd18dbcbcada61a48b7a583a7c88be8b26baf6df538bc6fe6a18b9af400

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
93KB

MD5
7f24877cbc594ec01467ac397237d9c4

SHA1
a443fb6619940b54139ffbc5bc378b25775c7ea8

SHA256
70564c415f88c3480f03cc58252b975e6435b3ff115cd09853d63f16f4e70887

SHA512
e0a6abd8d817812acb397dcc470d9ed245bf5a0351159b2d4c65b2aeff129a65166d21b9ed67dbc651cc52e1d3807adfaeb75ca1bdff82251747a5a7ce311dac

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
93KB

MD5
1dfa8df2505cac2dcf10dd34dc364149

SHA1
5299ac4e70c6f6e073fa4670ee0ceec2c6467880

SHA256
3d522d3aa14b11b1693e02b380cafa46a6bdee4831fa2d3ebcb1267b28540124

SHA512
f50b9ad77fba61d90b9581120677f82059b5195d1f955c8fccf4cae4abef5af4e8766aa1712552340414931eb3728fe06d2ca1eff606e9c46104820f8a6b5c73

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
5e32f3d6efa84b63744c5eb0d19c5430

SHA1
4468837783c6c2246c5985a795a2c058f8eb4369

SHA256
2850e49971f8f559672fdadbf37a0260f5148ec7075a07ae9ea1c8afc843842e

SHA512
2c42dcaed1db482d785d4b178c8ab660936c4380f44d002f29b83f0c78ce8f1e002417920b433c76d3532b1b5a86410db3a1a65fea15bbec03e998e925fc84ec

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
93KB

MD5
d057e564299eb55221721b63c1b81164

SHA1
956a6b416c224947721662642049363a4eaeaf42

SHA256
91f12ebce7e4a9a07dab1db43445ede72133a2f43a178c39d6d91781392c557a

SHA512
d63283bdffdf4290aea74cf03c80fe373bab4c8dab596ba598ef6d0cbfb65270d077364bcb6687533e352bf6265824eb50d5eea183f79112dbba646ec5ea4aa4

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
93KB

MD5
d9881d9b914b3d3c243578654b394d3a

SHA1
8b5a887417220c0668ccd4affd83cf81ab618b19

SHA256
47fc83ff67c58afcba535224f5e0bd2a532677e6eeb08e26b7e1b99ee0b83d39

SHA512
be973e7b49ee502c7b91c3f15143951ab9d377eb5d6353da1bf4085df18fe132e09ef539ff91a3875be2a1f88ba20732c89c0409782063bc1e7d3b4ae7dc982a

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
93KB

MD5
6d346b5a76dd9f9a7dcc9c759b1ea84e

SHA1
b93d1fc4da1f49532a4c8c613b6641264fdc4723

SHA256
b7db9a09cb3697e3e4f82d6215b224c344353cecda7861125d942c77ea9100fd

SHA512
a884763462f5e64637212666e6b7eae2eb8bcc2d7a391d32b753ad05b3153c5386436123e6b8ff3ba845ad5f81f8866302fd01c650afeef0a59b4655e36c499c

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
93KB

MD5
35aae6847f7cc477697d61c13189165f

SHA1
5f6b81851f410ddbc337e6965f3331b55d6b0410

SHA256
91995cc8df212b737ca04a28e0176b94b2d7c3dd7943f17c23ea8ca6ce3f98e5

SHA512
dc2b7f1774c0c46afae9ecc864c923d1a0ee153223f516fc6cb520aa0e865fbf89266a44532c09b6c4e1ba3a55cffc6cbd62385981cc886600f16e943bd1db21

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
93KB

MD5
4106ab5513f636fa4eab4e04af60df8f

SHA1
2e71e55ca074583a0a2356e7d95f861e37ec4043

SHA256
5d1ff6968e411105ffa521babce64a9b897a36630795b2a95c040e1df152f9ef

SHA512
6bcdacc77d31fc9ac349cbb17a7ab74c7338dbb458de9e372e100bf4a5f5730d6a31ef34758450e327a7ec612b82a5159af66b581f7466cdb9499d10d482546b

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
93KB

MD5
44260251b14a625cb36ca27ba383d0d9

SHA1
4108bd22674920b575d453de1a2da0680eaf37dd

SHA256
ecd3c2804f039df21dd2efd5ff4f8de9698e4e66407353e4758d51662ff30711

SHA512
7a3ec24f4b8a3baa03073f3050e14780e4a2b54106a4b555ec49a9b452861173dbd5a349bbfb97b8ae286ba9153f83fc246398aa39c7c2f91c7c787e067bce03

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
93KB

MD5
62951ac81c03e9ff0468d6d82d1f3a2e

SHA1
c48404919ee9e389e3c48b38417c4189974f232d

SHA256
1d8f5748be1b7da337d40253674019f8c917fd8185a206c16e6267b270f104c9

SHA512
7c0fd5396135e1c555714aeca59adf7d9e1d2d71db670efaa6edcfaa1871c60f0c02b2e2ffaabff9231e62abbc58c9fb3169bdcd39020fa24234aed6d6c4a841

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
93KB

MD5
540f40be1ddf10c206d5d73fcb643dae

SHA1
780ce4fe923f00c082c0bbf9546e20357c46ea89

SHA256
d9ec869d74324c5dd1a4eecf66ddc17ad1cd7c26945d10c92d6c127593220179

SHA512
bb0480921c5846a58b469384f85a1468200b18c57047bb516845496df40eecc00c5f62675ce9ab59da22e6ea9728c1ab7f07e5fb0e3837f660a3a476abdf342d

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
93KB

MD5
4756f368f3dfdffb0e16168591dbf396

SHA1
e54792c92f88888ca4565490dbd62a44ea0d1ac9

SHA256
7110e34d6de07a2f6c3c773db594210e4d89e23e1cf48274c4d98ded37917a8b

SHA512
2edefe0ff8dcc50fbb6749e1d2cb74a9b776fa3a610c47f3dfee77d214f5e4738f11748b92a5ad4876279504f5d279cb27d11741ef6203189ce625fd719bfe62

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
93KB

MD5
f5b1f9252c67042dd903c05a95a36df9

SHA1
fa34aa249be464c7941d712208119bdc14baf456

SHA256
412f9636214326663ab6690195f96223a8d8bcfa5879d66af6eb5dd68e058116

SHA512
adbd6d44a940b733e5d910ebe03f2ebdc2333a8622eb5ab0eb2ed41a7c390aad8ea994013c71d099966753e7f15cff22946980542cff458f68f61c8d4a9f8695

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
93KB

MD5
89aad56534ff2bf8d752f43a5a491ee0

SHA1
50447570f6c910c420588d1b43bebbb2492fa7ac

SHA256
521b86e0a59c5e22d7a738afb441d02e8f0d05a11ff4f77d967f1027bf10ed9c

SHA512
8a446aec4bfd31865b1dd48ce413d2b8c5d3f011772acd18877d85017ebf7a860bfa049914ddb402154f4bc33a1ce01294da206ac05d9742c274227842e9cd6d

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
93KB

MD5
27679d9c48405709a6dec6d9fb91e2f1

SHA1
fa24281c98144dca3d5f8d3f7996a94b688f7779

SHA256
11442c7894b6a3ef8c302d7173e24051d48010ece886c781e1897bc230411e57

SHA512
6669cf4d63d327ba02d13b5db9b9ad38758c7b05e74396f2773c3c38780370b56ee81de2a97b085d4064db5e0a590d76f12fca10b3fecc348e83dafa36888527

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
93KB

MD5
fd945ee11339f6188d7741f9a17e949d

SHA1
ef2f1b1ebf2468f628f40110e56953fc2ecfee4b

SHA256
4ff4df2d665b2aa6d29704b170326a3b01988065039058342dd655e7a424b6a1

SHA512
b8afcae3028c03c382a25fa20300c3c795cab7db3838213b430ad783695237889c9ab8acf1d7f432f39d63fdf278d047e6f22fed37123e42224dd08104b7dc58

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
6d9d14ed214634e59df03f2badaef84a

SHA1
ab929dd6a3c8cf0c4ca22b497a46bc97b58aa01f

SHA256
64077c663f1ccc3c278700071d0e9ad45dd050af85002ad0fcebc9441da5376c

SHA512
4c0c909059a6fed15826d6d0b6151d9f1ffd3615bf0b0fb1d0752128a8a947ff557d91b19ad52069007942f52d58ab83a4243faad9fbb0a3a3fd5456c05a5711

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
93KB

MD5
c9125e1cb003045de469b782201a67df

SHA1
22dba0bd6c65c4cc6a0f560dfea0494b2c4dceb5

SHA256
0aff3333050a63da446f25475578f6bada950370482f4878317cbed896bf6716

SHA512
d537e7ae6db57c294a93c34faa5657541ccd7a860a316c1459b04bef8ae7bfb0226fddafc7f1a645aa85ddd32c87c2c7db953c24fb9a8498fd0ba97dbb154157

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
93KB

MD5
58d0c9cffcc3c82246866d486dfdce49

SHA1
97fee36012d637dd8feb40e16cbaedd289f84455

SHA256
d9ddb7ae4c15e7b9433de9e77bcacae7950f537672c0d30c5c496fab4b1a6deb

SHA512
045251d9817cb3908d37b66370857b98e6f7455fe08bbd497f7eaf940feae65a4fd419cf9626d2130391a6e52e86119ed0ee3da9214b3e440fda4448d5891f73

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
93KB

MD5
838732c188f2eddbc2d729e9889dad5b

SHA1
79f4ddb36de7a0c27469e0188ee56a342400d394

SHA256
d6ff160aa59672bf934c2ea1ff78c486046a5b951f8269e1cf2fc9b37c55aa32

SHA512
e03139a13fed5f54ebd34f5e3939058f1138341e4ef814593667e297a82bfb15fb16dcce71361e54f3c0072becaf0cfa572eba5dd2985a6cfae22df93bb0ae7b

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
93KB

MD5
036b6ea1e4728749d3f8413b7caa0046

SHA1
fb722e93003086062759c7d467902a31810dc4e7

SHA256
0fadda11b2518df568117571d2cdd34c502de798f05b981895309c063c7cc705

SHA512
79521208476a81ce801b4578d30341416419ff868580a349ab59431f0b18b571d73798553cbc2b92f2bc5c6ee3cdba1ed8cf3582fbdbd5a2e29eb6f6d7f8df37

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
93KB

MD5
bae0b5a64c8832e64dd93fa3694c5f54

SHA1
4558534493661bb9004d25602691ab00db3156f9

SHA256
a48397f99397b6475ea9608c0f2c6bd4414680ad22c0deee61003ecfa67e52b1

SHA512
e685d12f5d4152fc7273de3ccd0561ae63ef56cdf21708d9113e15befe5289c935d19439a2c9d6c198beab21a65987cb56b0e01e288db589867773b523f23463

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
85cd888a6e66f74ef19f93e0a98d9dee

SHA1
26039fb0dd7af405eacbd3ce63bcfeb06fbc6f35

SHA256
b059bcf83f88f3eebf817a91d3e047445923ea6d7e7b20b90cbfb7e061a8712d

SHA512
7b35bfa1e51ebd802cd406390086b5bb7fcfb116c81ca3a3113b3f12b34241886e4cec96f97302e38f9bd97bafc864ff3fe2cd9d339cdc0fe16d7428d3e9c7bd

Download Submit
C:\Windows\SysWOW64\Ddmaok32.exe

Filesize
93KB

MD5
8f6cf3269aa44fa88f326cb1a9930cc3

SHA1
7728231289cd3fce4e92420ffb18fdf593fe5d2e

SHA256
9850a332659d72fce61014df7931c3ef56f97187a6c3c51d69cada1a9bcc8e75

SHA512
d51b0c2aa7d11d37ecb08c18d6b0946f33b461b5041c9e69ae2fb655418ff289c8c28d280db21732d4309b8bbb6faaa7ecb23ddc6205562de606cc9ffb039777

Download Submit
C:\Windows\SysWOW64\Pkmlea32.dll

Filesize
7KB

MD5
3c0af34148c7c22f3b43ab3e8ee844b5

SHA1
b8040eaf68dbfa68b9a5a98549b01878be08b399

SHA256
ec13667f2a7539075165d33c78d75ca7ce0ea6f40d9006c2b7152d9f1ba7330d

SHA512
0a26eec96b28f37491c68db348e1bd7dbd81c8bd9e5bd5592fb2def32fdc110c9e0d6cb2ea39169c0aed331b7ecf8605dff50182040abeb79115e9f470538ba4

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
93KB

MD5
aca05a21cb4b23fd92a154e3716b2b1a

SHA1
e9cb4383b3a79c85bd7ba2212e50cb52ae196602

SHA256
2549dddeff681452f92a768a45ea43fc8fb0e6e433f96dc0e254666763fa61f1

SHA512
0b60d261fe5e16af2bc9b52ad8b9d5f0eb1fd1980e3f06260f8c22d95ee4a7e9e0ae3d91078dcc4f8517b60a922e3b3df543d18aac8d4ffbe9b3b37473b62914

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
6c12750ffe3b7e2b7d07ab544b3f7a47

SHA1
7338c729f1236bf68dc7225204e426f0b1693faa

SHA256
eb47dd99de1bb5099739fa82dd6f2b2f3252f6e090ecfaf8424410b2f6722e31

SHA512
78ac2ba900b3e76e172b6f6b90db4c8646ee8b76560735b8d83a6585a6597a52b5a674047a56890cede469f0a12dd1c40989dd6c87530a6e3ba34b69d4b00b55

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
93KB

MD5
45b87a683681fb20b99128ad6d660bbb

SHA1
658e37e298cd1549ebeeaea49c10102a07a86082

SHA256
e183e0366bb2b8857362d4a9f84619708f1d99dafc373f1f1b59a6b464608d29

SHA512
98e5857f3405fbbf6a47821ac812bdd6ada2f33b380de510dbfb7adfab42261969f66cc837d0172deb4aa263c84557323672b8cfaafe095701c24c51da7b1768

Download Submit
memory/112-322-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/388-340-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/436-278-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/452-352-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/672-39-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/720-268-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/892-143-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/936-204-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-502-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-510-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1172-382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1232-517-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1268-31-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1388-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1512-111-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1588-316-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1636-511-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1648-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1688-175-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1720-328-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-518-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1820-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2012-370-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2024-87-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2064-196-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2220-334-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2280-292-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-508-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2416-509-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2440-95-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2444-406-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2612-298-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2640-127-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2644-183-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2668-103-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2688-304-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2700-215-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2752-280-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2816-208-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-527-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2864-400-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-515-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2912-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-528-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2976-394-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3000-256-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3100-314-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3108-47-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3140-7-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3180-520-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3328-516-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3356-240-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3364-159-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-388-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3448-529-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3480-247-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3576-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-430-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3932-522-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3952-63-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3956-23-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3968-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3988-376-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4020-358-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4056-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-223-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4116-55-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4168-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-424-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4272-523-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-350-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4364-15-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4468-232-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-490-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-512-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-478-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4560-514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4684-286-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4752-262-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4756-119-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-513-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4760-484-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4780-368-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-521-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4788-436-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-525-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4860-412-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4912-519-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-418-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads