8e820646ec5333a645592e0867f34aa20e72d5cc0874102d697678167825297f

Analysis

max time kernel
113s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

044027ad151d25f7c2d0e0eedef96f30N.exe
Size

512KB
MD5

044027ad151d25f7c2d0e0eedef96f30
SHA1

365dfc3044b6d329654d12cb5df49156e7b7441a
SHA256

8e820646ec5333a645592e0867f34aa20e72d5cc0874102d697678167825297f
SHA512

7a56167debc26adaf54cc145e8aa2ce4928a99573bd7ca2b002b2e9b7e44bc0bbd39e85296b0c4d074af96adbaad3d498d49d684ebc309a7b37454d677d80f32
SSDEEP

6144:pA4S02ordQt383PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5fjlt01PB93GxK:1S0cr/Ng1/Nblt01PBExK

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 50 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmomnlne.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dilddl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dilddl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmecokhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbljgpja.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcgik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkpabqoa.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmoaoikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cppjadhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqldpfmh.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmoaoikj.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcgik32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Denknngk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogpfc32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	044027ad151d25f7c2d0e0eedef96f30N.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjlkhn32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbljgpja.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cppjadhk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmecokhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgfmlp32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bkdbab32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cogdhpkp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Akbelbpi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjlkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cogdhpkp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmomnlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqldpfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnpeijla.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkpabqoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	044027ad151d25f7c2d0e0eedef96f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfblmofp.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgfmlp32.exe

Executes dropped EXE 25 IoCs

pid	Process
2184	Qqldpfmh.exe
2316	Qgfmlp32.exe
580	Qnpeijla.exe
2772	Aofklbnj.exe
2864	Akphfbbl.exe
3044	Akbelbpi.exe
2828	Bkdbab32.exe
1600	Bcoffd32.exe
2752	Bjlkhn32.exe
2960	Bfblmofp.exe
1316	Bmoaoikj.exe
1824	Cbljgpja.exe
1828	Cppjadhk.exe
2196	Cjikaa32.exe
1372	Cogdhpkp.exe
1844	Dkpabqoa.exe
1300	Dmomnlne.exe
2236	Dkbnhq32.exe
2428	Dkekmp32.exe
1884	Dmcgik32.exe
2424	Denknngk.exe
2944	Dmecokhm.exe
1776	Dogpfc32.exe
1676	Dilddl32.exe
1928	Eceimadb.exe

Loads dropped DLL 54 IoCs

pid	Process
3068	044027ad151d25f7c2d0e0eedef96f30N.exe
3068	044027ad151d25f7c2d0e0eedef96f30N.exe
2184	Qqldpfmh.exe
2184	Qqldpfmh.exe
2316	Qgfmlp32.exe
2316	Qgfmlp32.exe
580	Qnpeijla.exe
580	Qnpeijla.exe
2772	Aofklbnj.exe
2772	Aofklbnj.exe
2864	Akphfbbl.exe
2864	Akphfbbl.exe
3044	Akbelbpi.exe
3044	Akbelbpi.exe
2828	Bkdbab32.exe
2828	Bkdbab32.exe
1600	Bcoffd32.exe
1600	Bcoffd32.exe
2752	Bjlkhn32.exe
2752	Bjlkhn32.exe
2960	Bfblmofp.exe
2960	Bfblmofp.exe
1316	Bmoaoikj.exe
1316	Bmoaoikj.exe
1824	Cbljgpja.exe
1824	Cbljgpja.exe
1828	Cppjadhk.exe
1828	Cppjadhk.exe
2196	Cjikaa32.exe
2196	Cjikaa32.exe
1372	Cogdhpkp.exe
1372	Cogdhpkp.exe
1844	Dkpabqoa.exe
1844	Dkpabqoa.exe
1300	Dmomnlne.exe
1300	Dmomnlne.exe
2236	Dkbnhq32.exe
2236	Dkbnhq32.exe
2428	Dkekmp32.exe
2428	Dkekmp32.exe
1884	Dmcgik32.exe
1884	Dmcgik32.exe
2424	Denknngk.exe
2424	Denknngk.exe
2944	Dmecokhm.exe
2944	Dmecokhm.exe
1776	Dogpfc32.exe
1776	Dogpfc32.exe
1676	Dilddl32.exe
1676	Dilddl32.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe
1628	WerFault.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bjlkhn32.exe	Bcoffd32.exe
File opened for modification	C:\Windows\SysWOW64\Cbljgpja.exe	Bmoaoikj.exe
File created	C:\Windows\SysWOW64\Bjallnfe.dll	Cjikaa32.exe
File opened for modification	C:\Windows\SysWOW64\Denknngk.exe	Dmcgik32.exe
File opened for modification	C:\Windows\SysWOW64\Dogpfc32.exe	Dmecokhm.exe
File created	C:\Windows\SysWOW64\Modipl32.dll	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Cjehbgng.dll	Qqldpfmh.exe
File opened for modification	C:\Windows\SysWOW64\Akbelbpi.exe	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Bfblmofp.exe	Bjlkhn32.exe
File created	C:\Windows\SysWOW64\Nemfepee.dll	Bfblmofp.exe
File created	C:\Windows\SysWOW64\Cdmbfk32.dll	Dmomnlne.exe
File opened for modification	C:\Windows\SysWOW64\Dmcgik32.exe	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Jahonm32.dll	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Dmcgik32.exe	Dkekmp32.exe
File created	C:\Windows\SysWOW64\Mohkpn32.dll	Dmcgik32.exe
File opened for modification	C:\Windows\SysWOW64\Akphfbbl.exe	Aofklbnj.exe
File created	C:\Windows\SysWOW64\Bmoaoikj.exe	Bfblmofp.exe
File opened for modification	C:\Windows\SysWOW64\Dkpabqoa.exe	Cogdhpkp.exe
File opened for modification	C:\Windows\SysWOW64\Dkekmp32.exe	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Hbbhogeg.dll	Bkdbab32.exe
File opened for modification	C:\Windows\SysWOW64\Bmoaoikj.exe	Bfblmofp.exe
File created	C:\Windows\SysWOW64\Dmomnlne.exe	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Hlokefce.dll	Dkpabqoa.exe
File created	C:\Windows\SysWOW64\Aofklbnj.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Cppjadhk.exe	Cbljgpja.exe
File created	C:\Windows\SysWOW64\Cogdhpkp.exe	Cjikaa32.exe
File opened for modification	C:\Windows\SysWOW64\Dmomnlne.exe	Dkpabqoa.exe
File opened for modification	C:\Windows\SysWOW64\Dilddl32.exe	Dogpfc32.exe
File opened for modification	C:\Windows\SysWOW64\Aofklbnj.exe	Qnpeijla.exe
File created	C:\Windows\SysWOW64\Omjkkb32.dll	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Cpeocnpg.dll	Bmoaoikj.exe
File created	C:\Windows\SysWOW64\Eodpobjn.dll	Cbljgpja.exe
File created	C:\Windows\SysWOW64\Djnbkg32.dll	Dogpfc32.exe
File created	C:\Windows\SysWOW64\Eceimadb.exe	Dilddl32.exe
File created	C:\Windows\SysWOW64\Qgfmlp32.exe	Qqldpfmh.exe
File opened for modification	C:\Windows\SysWOW64\Bcoffd32.exe	Bkdbab32.exe
File created	C:\Windows\SysWOW64\Lekfhb32.dll	Bjlkhn32.exe
File created	C:\Windows\SysWOW64\Dkpabqoa.exe	Cogdhpkp.exe
File created	C:\Windows\SysWOW64\Dilddl32.exe	Dogpfc32.exe
File opened for modification	C:\Windows\SysWOW64\Qqldpfmh.exe	044027ad151d25f7c2d0e0eedef96f30N.exe
File created	C:\Windows\SysWOW64\Bkdbab32.exe	Akbelbpi.exe
File opened for modification	C:\Windows\SysWOW64\Bfblmofp.exe	Bjlkhn32.exe
File created	C:\Windows\SysWOW64\Kbqgpc32.dll	Cogdhpkp.exe
File opened for modification	C:\Windows\SysWOW64\Bjlkhn32.exe	Bcoffd32.exe
File created	C:\Windows\SysWOW64\Dogpfc32.exe	Dmecokhm.exe
File created	C:\Windows\SysWOW64\Qqldpfmh.exe	044027ad151d25f7c2d0e0eedef96f30N.exe
File created	C:\Windows\SysWOW64\Akphfbbl.exe	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Bkdbab32.exe	Akbelbpi.exe
File created	C:\Windows\SysWOW64\Denknngk.exe	Dmcgik32.exe
File created	C:\Windows\SysWOW64\Dmecokhm.exe	Denknngk.exe
File created	C:\Windows\SysWOW64\Bfkfbm32.dll	Dilddl32.exe
File created	C:\Windows\SysWOW64\Bopplhfm.dll	044027ad151d25f7c2d0e0eedef96f30N.exe
File created	C:\Windows\SysWOW64\Biepbeqa.dll	Qgfmlp32.exe
File created	C:\Windows\SysWOW64\Abgqlf32.dll	Aofklbnj.exe
File opened for modification	C:\Windows\SysWOW64\Cppjadhk.exe	Cbljgpja.exe
File opened for modification	C:\Windows\SysWOW64\Dkbnhq32.exe	Dmomnlne.exe
File created	C:\Windows\SysWOW64\Jjgmammj.dll	Dkbnhq32.exe
File created	C:\Windows\SysWOW64\Nkpbdj32.dll	Dmecokhm.exe
File created	C:\Windows\SysWOW64\Qnpeijla.exe	Qgfmlp32.exe
File created	C:\Windows\SysWOW64\Naagof32.dll	Akphfbbl.exe
File created	C:\Windows\SysWOW64\Nadann32.dll	Cppjadhk.exe
File opened for modification	C:\Windows\SysWOW64\Cogdhpkp.exe	Cjikaa32.exe
File created	C:\Windows\SysWOW64\Dkbnhq32.exe	Dmomnlne.exe
File opened for modification	C:\Windows\SysWOW64\Dmecokhm.exe	Denknngk.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1628	1928	WerFault.exe	54

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbljgpja.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cppjadhk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	044027ad151d25f7c2d0e0eedef96f30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnpeijla.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmomnlne.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkekmp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqldpfmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akbelbpi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgfmlp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoffd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfblmofp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmoaoikj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dilddl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cogdhpkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkpabqoa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogpfc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Eceimadb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aofklbnj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Akphfbbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bkdbab32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjikaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkbnhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjlkhn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcgik32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Denknngk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmecokhm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmbfk32.dll"	Dmomnlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehbgng.dll"	Qqldpfmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmoaoikj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cbljgpja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjikaa32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogpfc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dilddl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll"	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjlkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemfepee.dll"	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cogdhpkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmomnlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohkpn32.dll"	Dmcgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfepid.dll"	Denknngk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmecokhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qqldpfmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bkdbab32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjlkhn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpeocnpg.dll"	Bmoaoikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nadann32.dll"	Cppjadhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmomnlne.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgmammj.dll"	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenpoif.dll"	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekfhb32.dll"	Bjlkhn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfblmofp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkbnhq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aofklbnj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cogdhpkp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkbnhq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagof32.dll"	Akphfbbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cppjadhk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	044027ad151d25f7c2d0e0eedef96f30N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkpabqoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnbkg32.dll"	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dilddl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	044027ad151d25f7c2d0e0eedef96f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgqlf32.dll"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjallnfe.dll"	Cjikaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biepbeqa.dll"	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgfmlp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogpfc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cbljgpja.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkekmp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Denknngk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfkfbm32.dll"	Dilddl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	044027ad151d25f7c2d0e0eedef96f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qnpeijla.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmoaoikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Akphfbbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkpabqoa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmecokhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modipl32.dll"	Dkekmp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcgik32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopplhfm.dll"	044027ad151d25f7c2d0e0eedef96f30N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aofklbnj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjkkb32.dll"	Akbelbpi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoffd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cppjadhk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2184	3068	044027ad151d25f7c2d0e0eedef96f30N.exe	30
PID 3068 wrote to memory of 2184	3068	044027ad151d25f7c2d0e0eedef96f30N.exe	30
PID 3068 wrote to memory of 2184	3068	044027ad151d25f7c2d0e0eedef96f30N.exe	30
PID 3068 wrote to memory of 2184	3068	044027ad151d25f7c2d0e0eedef96f30N.exe	30
PID 2184 wrote to memory of 2316	2184	Qqldpfmh.exe	31
PID 2184 wrote to memory of 2316	2184	Qqldpfmh.exe	31
PID 2184 wrote to memory of 2316	2184	Qqldpfmh.exe	31
PID 2184 wrote to memory of 2316	2184	Qqldpfmh.exe	31
PID 2316 wrote to memory of 580	2316	Qgfmlp32.exe	32
PID 2316 wrote to memory of 580	2316	Qgfmlp32.exe	32
PID 2316 wrote to memory of 580	2316	Qgfmlp32.exe	32
PID 2316 wrote to memory of 580	2316	Qgfmlp32.exe	32
PID 580 wrote to memory of 2772	580	Qnpeijla.exe	33
PID 580 wrote to memory of 2772	580	Qnpeijla.exe	33
PID 580 wrote to memory of 2772	580	Qnpeijla.exe	33
PID 580 wrote to memory of 2772	580	Qnpeijla.exe	33
PID 2772 wrote to memory of 2864	2772	Aofklbnj.exe	34
PID 2772 wrote to memory of 2864	2772	Aofklbnj.exe	34
PID 2772 wrote to memory of 2864	2772	Aofklbnj.exe	34
PID 2772 wrote to memory of 2864	2772	Aofklbnj.exe	34
PID 2864 wrote to memory of 3044	2864	Akphfbbl.exe	35
PID 2864 wrote to memory of 3044	2864	Akphfbbl.exe	35
PID 2864 wrote to memory of 3044	2864	Akphfbbl.exe	35
PID 2864 wrote to memory of 3044	2864	Akphfbbl.exe	35
PID 3044 wrote to memory of 2828	3044	Akbelbpi.exe	36
PID 3044 wrote to memory of 2828	3044	Akbelbpi.exe	36
PID 3044 wrote to memory of 2828	3044	Akbelbpi.exe	36
PID 3044 wrote to memory of 2828	3044	Akbelbpi.exe	36
PID 2828 wrote to memory of 1600	2828	Bkdbab32.exe	37
PID 2828 wrote to memory of 1600	2828	Bkdbab32.exe	37
PID 2828 wrote to memory of 1600	2828	Bkdbab32.exe	37
PID 2828 wrote to memory of 1600	2828	Bkdbab32.exe	37
PID 1600 wrote to memory of 2752	1600	Bcoffd32.exe	38
PID 1600 wrote to memory of 2752	1600	Bcoffd32.exe	38
PID 1600 wrote to memory of 2752	1600	Bcoffd32.exe	38
PID 1600 wrote to memory of 2752	1600	Bcoffd32.exe	38
PID 2752 wrote to memory of 2960	2752	Bjlkhn32.exe	39
PID 2752 wrote to memory of 2960	2752	Bjlkhn32.exe	39
PID 2752 wrote to memory of 2960	2752	Bjlkhn32.exe	39
PID 2752 wrote to memory of 2960	2752	Bjlkhn32.exe	39
PID 2960 wrote to memory of 1316	2960	Bfblmofp.exe	40
PID 2960 wrote to memory of 1316	2960	Bfblmofp.exe	40
PID 2960 wrote to memory of 1316	2960	Bfblmofp.exe	40
PID 2960 wrote to memory of 1316	2960	Bfblmofp.exe	40
PID 1316 wrote to memory of 1824	1316	Bmoaoikj.exe	41
PID 1316 wrote to memory of 1824	1316	Bmoaoikj.exe	41
PID 1316 wrote to memory of 1824	1316	Bmoaoikj.exe	41
PID 1316 wrote to memory of 1824	1316	Bmoaoikj.exe	41
PID 1824 wrote to memory of 1828	1824	Cbljgpja.exe	42
PID 1824 wrote to memory of 1828	1824	Cbljgpja.exe	42
PID 1824 wrote to memory of 1828	1824	Cbljgpja.exe	42
PID 1824 wrote to memory of 1828	1824	Cbljgpja.exe	42
PID 1828 wrote to memory of 2196	1828	Cppjadhk.exe	43
PID 1828 wrote to memory of 2196	1828	Cppjadhk.exe	43
PID 1828 wrote to memory of 2196	1828	Cppjadhk.exe	43
PID 1828 wrote to memory of 2196	1828	Cppjadhk.exe	43
PID 2196 wrote to memory of 1372	2196	Cjikaa32.exe	44
PID 2196 wrote to memory of 1372	2196	Cjikaa32.exe	44
PID 2196 wrote to memory of 1372	2196	Cjikaa32.exe	44
PID 2196 wrote to memory of 1372	2196	Cjikaa32.exe	44
PID 1372 wrote to memory of 1844	1372	Cogdhpkp.exe	45
PID 1372 wrote to memory of 1844	1372	Cogdhpkp.exe	45
PID 1372 wrote to memory of 1844	1372	Cogdhpkp.exe	45
PID 1372 wrote to memory of 1844	1372	Cogdhpkp.exe	45

C:\Users\Admin\AppData\Local\Temp\044027ad151d25f7c2d0e0eedef96f30N.exe
"C:\Users\Admin\AppData\Local\Temp\044027ad151d25f7c2d0e0eedef96f30N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\Qqldpfmh.exe
  C:\Windows\system32\Qqldpfmh.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\SysWOW64\Qgfmlp32.exe
    C:\Windows\system32\Qgfmlp32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Qnpeijla.exe
      C:\Windows\system32\Qnpeijla.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:580
    - - C:\Windows\SysWOW64\Aofklbnj.exe
        
        C:\Windows\system32\Aofklbnj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\SysWOW64\Akphfbbl.exe
        
        C:\Windows\system32\Akphfbbl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\SysWOW64\Akbelbpi.exe
        
        C:\Windows\system32\Akbelbpi.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\SysWOW64\Bkdbab32.exe
        
        C:\Windows\system32\Bkdbab32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\SysWOW64\Bcoffd32.exe
        
        C:\Windows\system32\Bcoffd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\SysWOW64\Bjlkhn32.exe
        
        C:\Windows\system32\Bjlkhn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\SysWOW64\Bfblmofp.exe
        
        C:\Windows\system32\Bfblmofp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Bmoaoikj.exe
        
        C:\Windows\system32\Bmoaoikj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Windows\SysWOW64\Cbljgpja.exe
        
        C:\Windows\system32\Cbljgpja.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\Cppjadhk.exe
        
        C:\Windows\system32\Cppjadhk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\SysWOW64\Cjikaa32.exe
        
        C:\Windows\system32\Cjikaa32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Cogdhpkp.exe
        
        C:\Windows\system32\Cogdhpkp.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\SysWOW64\Dkpabqoa.exe
        
        C:\Windows\system32\Dkpabqoa.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\Dmomnlne.exe
        
        C:\Windows\system32\Dmomnlne.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Dkbnhq32.exe
        
        C:\Windows\system32\Dkbnhq32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\Dkekmp32.exe
        
        C:\Windows\system32\Dkekmp32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Dmcgik32.exe
        
        C:\Windows\system32\Dmcgik32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Denknngk.exe
        
        C:\Windows\system32\Denknngk.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dmecokhm.exe
        
        C:\Windows\system32\Dmecokhm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Dogpfc32.exe
        
        C:\Windows\system32\Dogpfc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\Dilddl32.exe
        
        C:\Windows\system32\Dilddl32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1676
        
        C:\Windows\SysWOW64\Eceimadb.exe
        
        C:\Windows\system32\Eceimadb.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 140
        27⤵
        Loads dropped DLL
        Program crash
        
        PID:1628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aofklbnj.exe

Filesize
512KB

MD5
89f8a38be1728394c08fe74403b2c021

SHA1
55cabfb6a9588581b34e241f7ad76b23f9422eea

SHA256
d903c051c8d09fb35abf302a88c156fdbaac41e0e9abe5fb32ab7a319b43a529

SHA512
6a3699d72fd51b59da9a81cecdf28d35adb1afc9faa7364de72ca7b3052d0f99839e20d3218bb1085469995743d515434806704f9c28df2c1a7e2dcb0cfb08be

Download Submit
C:\Windows\SysWOW64\Bfblmofp.exe

Filesize
512KB

MD5
fb0e253ae2ca51c0b3d6f85acde9485d

SHA1
6cc32477fb8db12315166f0e9b599aee88a4e38f

SHA256
7426f75156da9f6c4b1ecadc21f618e56498ea189ac737a73ebc29e404515163

SHA512
34a21326e6fc1af00baf3a47f8000f94e4a9e0fa05db9ee81718ee5c2019b7da79adf296ee7973e377097e3a0679b7940d2b1ef5c0b69cd3cefbd0ad0b7b0168

Download Submit
C:\Windows\SysWOW64\Cbljgpja.exe

Filesize
512KB

MD5
ad5184861b89d776b2cc97a322ea8b4b

SHA1
945a692c85a3b17c134c3c7edd0f2a24a2417dc2

SHA256
1939b8461fd15b4cf562731f69ebbf5623dd15d3be07a7d63d6465a0bf186dfe

SHA512
4ec3fa3e1387f326b497bb0089f349e3bb53c7adfaec1c2447589894bdd8522f8c542348475c5f419081bda4ed2cbdeb9108bb0efa1de1f8f7d4527f08dd4349

Download Submit
C:\Windows\SysWOW64\Cjikaa32.exe

Filesize
512KB

MD5
2c0d0a01684781e1fe1f881725aa50e6

SHA1
a672f987e57531825b3b7dfe88a64c3ac3ae6156

SHA256
a5e19c88fb77ffb707803c5edb80aa515c607c1ae7c9cf45bb2889c76c9d410e

SHA512
1a0e038df5795331509493a790445871459409b2e1e4372ce37c197d304d17f99200e9f294b0b7699065d19083971607e0ce1e89634b94ce991fb2d950469818

Download Submit
C:\Windows\SysWOW64\Denknngk.exe

Filesize
512KB

MD5
ff894ffcc132c4b1fc30418e4b49d653

SHA1
8b0c2fd02b68513b6f9d273a8e523ff58f848d98

SHA256
c62305655d906325b896bd1d53e998c2ea9ba16121d52f297ec8aa4a56a6bce1

SHA512
c1581b49ee30b43ef666df4bc37b12ef4420d90ed5b0c81bd0364fcd04c5d1be494f91c107766fd96969b05c161324bfed1a6f99f53c19b94687a82496c0e36a

Download Submit
C:\Windows\SysWOW64\Dilddl32.exe

Filesize
512KB

MD5
ca6b98a613b8e58ac0b7c26c6877e852

SHA1
09a318b35afb1cc278521118b5fc1c73c0fffca0

SHA256
baa50f3ee851668e356e5bbfc8e91abd62cfb3ba26857e885919c25d34966313

SHA512
69a425daadfbf688f70bb893a87679b44b7de5a3e818827d55b60fee2da95bba0fa61780607d18ca2c34ef5566e699778d2b6518a303a87efcc9176648eb5432

Download Submit
C:\Windows\SysWOW64\Dkbnhq32.exe

Filesize
512KB

MD5
dab8cfe62234fc73388dce1e4aa6c6c5

SHA1
8eb09b46a980582df0131fa2116c8f506e62f51e

SHA256
5a3d43eceb78fa076f800dbe5738e82e8574ef6bb6079ee786b9792865c94a5f

SHA512
bd7583ec601aebb4344bcb6f79119ee9738c4d57cd9c1a6ce24ab663bdef4246ed01fa35ad3c28fa27fe6c35868e22cf0c237c27c402bc330c7e251d6c765f6b

Download Submit
C:\Windows\SysWOW64\Dkekmp32.exe

Filesize
512KB

MD5
d6a94f82d766017e98c7627758eb4ef6

SHA1
ff320c441d147bc0dd0b988f08adb0b46d3ea2b0

SHA256
9eb096a0ad68db5e1de3c31f2e4b643f52d2db8fcee5663281be986ba6420b58

SHA512
2a018c86536701d0336b9833f091f373d1c3442406d92527d0a5b5511be70fc22b9194e838e9dacfe6f2d03ec632c63b0088374ed33ea96dd0b93b30db6770b9

Download Submit
C:\Windows\SysWOW64\Dmcgik32.exe

Filesize
512KB

MD5
668486999c4b5f1cf3fcafe530292217

SHA1
5d65687a35454ac49e506172fc8afb7f47f5ff0f

SHA256
eafd74ce9d5930f21b6bb8ab3ee6d2f9dcdff28bab0adf96ed2270742f8f7a9c

SHA512
386ead3e7b303f8779b854665f38e0ae4d337389df1b7d230732802c07eade0df052871aad2f408916ce67a692f7b6ab47d2421366969decd30cd670c780b3a0

Download Submit
C:\Windows\SysWOW64\Dmecokhm.exe

Filesize
512KB

MD5
bc0bc77d7e5d600dfe6abb50ca7a1b1a

SHA1
2ae81bf263a9082ecf833084da9791aef4969bfd

SHA256
5bb6c1f565673f689b9187ad1465e1632cfc92c13aa58e026a54f6e1bb4f1fca

SHA512
c744ad9ef4f0b8ada4dd4baac2a22569a063471599075e5b7e8516e6e722493517b35d0fd187d61d8e5f2a1d6eaa2e218ede1c1b09543d21d0576f6e66d961ce

Download Submit
C:\Windows\SysWOW64\Dmomnlne.exe

Filesize
512KB

MD5
399b1e736cf38b540850b47d0f1cc4a4

SHA1
186bdcf9dec5652c3521a506d08cccfefc130d62

SHA256
cf1e839e78f8850dd3ec38a3b8c58e00251c7167ec8079169c204c3e597245c3

SHA512
930df6187d83a5b1dcdb054826399519dac0413a1d97738c6b90efee2f2a46bccd35ef8bd8a8cec12bff2f4e5b20a3979430e5c7fe08cfe4fbbcc0e037df313b

Download Submit
C:\Windows\SysWOW64\Dogpfc32.exe

Filesize
512KB

MD5
3c35ba09ca81ece28433dd65da9ea2bb

SHA1
c9a4d4ed35d2637c45af68d3d3573848bce911b9

SHA256
78b7d35ec37014305ae9ab1099534896d2642ecaf2168dff837e412f637a3111

SHA512
a2f647851a308acfbe1456ffeacdf8b51d53a696fe898f7446361270a867d5ea2428e1f3908478b82bea6dc239266feabb5090ba07876989720e92e2acf0c784

Download Submit
C:\Windows\SysWOW64\Eceimadb.exe

Filesize
512KB

MD5
e430fbbd7ea24cdeed6ac4697b9de495

SHA1
176119122f47442ea34307004c504018a01a570a

SHA256
14d502fa8e6db3278f278edfbc7d3d04f953cb3e813a7957e763f8754b2520a2

SHA512
c9464739a671d2a806177a148397276e20e70b6703805ca4ad8dbfcda0b68386c69bf710fd355400b4f7edc6834bf2b0ed794d48c9044f5bc1ad683ce2c224e6

Download Submit
C:\Windows\SysWOW64\Qgfmlp32.exe

Filesize
512KB

MD5
2964add56843dbbafcf56f4e4fffaf9d

SHA1
b4ffd0b617129eb9a941ba63a8bf45f3bf7b9057

SHA256
b6054047792ee811c714ec499213df198bad5c77525bc6869eccc2a2dd8c8ac2

SHA512
8b3c36fb921247043d59f535522c50839613d2008f0a5b15770d242c6d1fae2d8d0c75480e42f9f4973d4dcd482e0dee0c2d097822693b292ea9961c74afbe1c

Download Submit
\Windows\SysWOW64\Akbelbpi.exe

Filesize
512KB

MD5
6aa728841952514b79f6d300dd9d7085

SHA1
76e5d26ce3666586a70c534dc2418bec9ff5a65f

SHA256
304745ca13b2da8afbedc5d8f38d35ee0ab40475a03a036e3255ff1434fe5718

SHA512
d75dd1bfa8f0298d22ed91c7820284804ccf925dec28d1d69a66c800f458b69421dec049d1890f9a78ad4797d80d6253f88244b525573308fa2bfab766e8986a

Download Submit
\Windows\SysWOW64\Akphfbbl.exe

Filesize
512KB

MD5
4e55d5f14910add7ed2f6eefcb024f75

SHA1
786fe7c8662adbe80ca476a58fd085d78d42e95b

SHA256
33b79db1910ac72882304382e272d86cc4c01ebc4a5cca3da7db5e9f36da8106

SHA512
ec6053d2ffdb5e39c13323a373e8ba91e925122b0e6fc7c4eca30dd55bab3d8187f972970381e44ed6b51b3692697635d0af9289df2d04cc82b3aa96de2d2c7e

Download Submit
\Windows\SysWOW64\Bcoffd32.exe

Filesize
512KB

MD5
181153edd2296f67169b587a717d9c90

SHA1
ee4e3c5daefc8ff76ccd3b6cf4d88325e0a7b555

SHA256
8c870b525a9f72ea809036385ef6587cf6e0ffa6acf8143255f0f2ce05ff3457

SHA512
8ae0b44ca8fdbc0e9cc0f69242d72457c6090d8d1401aefbc44c207e418bc644f1bfa9a5995795ea9052cb5e11175dee85e720fcadbbd91f9d828f5dda286f48

Download Submit
\Windows\SysWOW64\Bjlkhn32.exe

Filesize
512KB

MD5
fe7a23ef3629ded4d593cfb513a026dd

SHA1
d0d4859c1e061fd7ede51b6c69ae4eaea831e77b

SHA256
67d7fc05fc63052e40dc0b7b131983b6c72a6e7b9c4dec861456883d8995529d

SHA512
9eb9ade07a14ebeb71cfc72f2ce49f74df02d42d78dc6393c26da585299362ca3fce5c6662918ea54e0d585b508265e086c69265e79010d94c21b5d166991657

Download Submit
\Windows\SysWOW64\Bkdbab32.exe

Filesize
512KB

MD5
38e2d944fad7c48cb1422df4ff6f41cc

SHA1
c647b0d91d05d06346b430f33725efd168916b36

SHA256
481ed9a5f488c52f08f9c62e9285c23dab3ce524327e5fde69e5a1b2e3da4080

SHA512
be95dfd482276de08cea2ec98ccf3d5f3ea04565aa25f1833d82bcd9fc4c4817ca940b2c7254e3a3e1810f17ad028e7e20ab4e7a8c3411840b3579f019410528

Download Submit
\Windows\SysWOW64\Bmoaoikj.exe

Filesize
512KB

MD5
67d9864568ba9ec21e6ac182d9ed8f52

SHA1
2651bda8196faad9452ab0d5eed6dc9dcbc77da3

SHA256
b15da5fb8a08e79ad86114dbfcbb460f9d108a6af0977106f2acb521e981622f

SHA512
122fcdfc3957e9257809256bc2d2ee7f51d4913acf1ca4573f3c7a87c4264f9a66b2d832e8cce00b56d2def1d5e68cf1782cfe1c73a38024654b1352fa27ad4b

Download Submit
\Windows\SysWOW64\Cogdhpkp.exe

Filesize
512KB

MD5
56355949d886b577a29699ffe9a9bff5

SHA1
6d90d1c163eb290eb6081a28225e820d56e3d5ac

SHA256
579e1757226c33edbe9176c9fc88772d4a2f20c40a93d842cf90e5f3c4211911

SHA512
426c277f0060ab9b1ac8ebf0ea0b7d26f24fac4b982515ac65e83f51096a3c4c04f75531982b43f9bc332a638be668501652aaad40cfeeb338807128acb4e205

Download Submit
\Windows\SysWOW64\Cppjadhk.exe

Filesize
512KB

MD5
273def5cf4db00ca134900f31480b0d6

SHA1
0392c05b75675477880cbba80048f2b699b6ed65

SHA256
0c30daa88bb8c87f7749d92e2889517199eda95095b611e0c41b38aa822f98ad

SHA512
ab302b8eb83401065a948070c53f06f8090b46f0cc68a8691726005d822a152e5acabea35000bf05559e6af062e43f1d0f6f04d575714e856ec9efc573cf03a8

Download Submit
\Windows\SysWOW64\Dkpabqoa.exe

Filesize
512KB

MD5
0d8fba5898383e4601f18890931f33e3

SHA1
04958e27530052546cdd7b8a5f9baa0c10a9ad43

SHA256
03a23a0283ca08e4698b090f0666b2f3f94736f478d535fb1eef3a8016027b93

SHA512
3f34832cd1deb7163b573790f6eaecba8fece6ad2bc4382d9d94f017778ec6694ff18c7821d38f0730db87e4f171590ea86565c64fc1e3e251f5ffd9b55174c4

Download Submit
\Windows\SysWOW64\Qnpeijla.exe

Filesize
512KB

MD5
f06e54541f329835f9dd384c36457ced

SHA1
42e627a94303a4b6a8d4f84091245c3836e38f76

SHA256
9edb96b4f2941ba66b2381fea6e5f844c5d9529385a67890085dce11b77fa3d8

SHA512
5b7c5ea0a656fbeb90626ff84ef76ce43a0ced64e5ebbd7d1ec6c5798b9bdf7cd015995a86cab934941812155c818a1f9a3bf7cbdc7377d6b0c62443dbc89312

Download Submit
\Windows\SysWOW64\Qqldpfmh.exe

Filesize
512KB

MD5
cf029e0090f2013f517e707fbadf8939

SHA1
90709d561b9e9991bdb5c8daef7ea5ce9541948b

SHA256
eea2c58d939a5917ce1f1b50108046986b8c0efc39e7038cff103176a78ce16d

SHA512
3ced448b7a7d1360c57f8e6a09e389bc7d858dc45fc5a1bc6643ba3ece5752221c0b1bb4e4901b126d9df5150fb443a8ddfdddd92bb45fcb14e8bd0b748fd357

Download Submit
memory/580-55-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/580-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-342-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1300-240-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/1300-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-163-0x0000000001F50000-0x0000000001F84000-memory.dmp

Filesize
208KB

Download
memory/1372-219-0x0000000000280000-0x00000000002B4000-memory.dmp

Filesize
208KB

Download
memory/1372-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1600-118-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/1600-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-302-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-339-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1676-308-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1676-312-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/1776-338-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1776-300-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1776-301-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1824-165-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1824-177-0x0000000001F50000-0x0000000001F84000-memory.dmp

Filesize
208KB

Download
memory/1828-191-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1828-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-331-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-220-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-230-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1884-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1884-267-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/1928-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-27-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2184-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2184-26-0x0000000000300000-0x0000000000334000-memory.dmp

Filesize
208KB

Download
memory/2196-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2196-201-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2196-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2236-247-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2316-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2316-36-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2316-341-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2424-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-251-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2428-260-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/2752-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-318-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2772-64-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2828-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2828-105-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2864-369-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2864-319-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2864-82-0x00000000002D0000-0x0000000000304000-memory.dmp

Filesize
208KB

Download
memory/2944-290-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2944-286-0x0000000000440000-0x0000000000474000-memory.dmp

Filesize
208KB

Download
memory/2944-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-324-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2960-144-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3044-91-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3044-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3044-84-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-18-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3068-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-12-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download
memory/3068-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3068-328-0x0000000000250000-0x0000000000284000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads