42c019bc74eaa8345da44072717a451ddd4edd15e3e02d98cb80844e6a09599f

Analysis

max time kernel
31s
max time network
43s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 01:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

79b8379b9f44ce830e9cc91da3928e50N.exe
Size

368KB
MD5

79b8379b9f44ce830e9cc91da3928e50
SHA1

fedfba5f6b410311169d7b79ad8891dde8c171d9
SHA256

42c019bc74eaa8345da44072717a451ddd4edd15e3e02d98cb80844e6a09599f
SHA512

f2cefb5bf15428f788fe2f447b51b7bf346c2e8f4b4d46ca34165d4401d527f6b2c51cb06b6595cc112db7bf53a7c42daa33aa5e98570bf1839e9821d8ebad16
SSDEEP

6144:vnuZad4J/oHeN+uqljd3rKzwN8Jlljd3njPX9ZAk3f:vuMEQ4+XjpKXjtjP9Zt

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	79b8379b9f44ce830e9cc91da3928e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	79b8379b9f44ce830e9cc91da3928e50N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe

Executes dropped EXE 26 IoCs

pid	Process
4136	Bjmnoi32.exe
3400	Bagflcje.exe
2396	Bjokdipf.exe
3668	Bgcknmop.exe
2720	Bmpcfdmg.exe
4728	Beglgani.exe
1064	Bnpppgdj.exe
3888	Beihma32.exe
3336	Bnbmefbg.exe
760	Belebq32.exe
1916	Cenahpha.exe
4356	Cmiflbel.exe
1928	Chokikeb.exe
3692	Cagobalc.exe
1904	Cmnpgb32.exe
4968	Cjbpaf32.exe
956	Cegdnopg.exe
3156	Dopigd32.exe
1760	Dhhnpjmh.exe
2584	Dmefhako.exe
4424	Dkifae32.exe
2336	Deokon32.exe
560	Dfpgffpm.exe
2988	Deagdn32.exe
2648	Dknpmdfc.exe
4436	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jijjfldq.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	79b8379b9f44ce830e9cc91da3928e50N.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	79b8379b9f44ce830e9cc91da3928e50N.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	79b8379b9f44ce830e9cc91da3928e50N.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Belebq32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4744	4436	WerFault.exe	112

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	79b8379b9f44ce830e9cc91da3928e50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	79b8379b9f44ce830e9cc91da3928e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	79b8379b9f44ce830e9cc91da3928e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	79b8379b9f44ce830e9cc91da3928e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	79b8379b9f44ce830e9cc91da3928e50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	79b8379b9f44ce830e9cc91da3928e50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4136	1480	79b8379b9f44ce830e9cc91da3928e50N.exe	84
PID 1480 wrote to memory of 4136	1480	79b8379b9f44ce830e9cc91da3928e50N.exe	84
PID 1480 wrote to memory of 4136	1480	79b8379b9f44ce830e9cc91da3928e50N.exe	84
PID 4136 wrote to memory of 3400	4136	Bjmnoi32.exe	85
PID 4136 wrote to memory of 3400	4136	Bjmnoi32.exe	85
PID 4136 wrote to memory of 3400	4136	Bjmnoi32.exe	85
PID 3400 wrote to memory of 2396	3400	Bagflcje.exe	86
PID 3400 wrote to memory of 2396	3400	Bagflcje.exe	86
PID 3400 wrote to memory of 2396	3400	Bagflcje.exe	86
PID 2396 wrote to memory of 3668	2396	Bjokdipf.exe	87
PID 2396 wrote to memory of 3668	2396	Bjokdipf.exe	87
PID 2396 wrote to memory of 3668	2396	Bjokdipf.exe	87
PID 3668 wrote to memory of 2720	3668	Bgcknmop.exe	88
PID 3668 wrote to memory of 2720	3668	Bgcknmop.exe	88
PID 3668 wrote to memory of 2720	3668	Bgcknmop.exe	88
PID 2720 wrote to memory of 4728	2720	Bmpcfdmg.exe	89
PID 2720 wrote to memory of 4728	2720	Bmpcfdmg.exe	89
PID 2720 wrote to memory of 4728	2720	Bmpcfdmg.exe	89
PID 4728 wrote to memory of 1064	4728	Beglgani.exe	90
PID 4728 wrote to memory of 1064	4728	Beglgani.exe	90
PID 4728 wrote to memory of 1064	4728	Beglgani.exe	90
PID 1064 wrote to memory of 3888	1064	Bnpppgdj.exe	91
PID 1064 wrote to memory of 3888	1064	Bnpppgdj.exe	91
PID 1064 wrote to memory of 3888	1064	Bnpppgdj.exe	91
PID 3888 wrote to memory of 3336	3888	Beihma32.exe	93
PID 3888 wrote to memory of 3336	3888	Beihma32.exe	93
PID 3888 wrote to memory of 3336	3888	Beihma32.exe	93
PID 3336 wrote to memory of 760	3336	Bnbmefbg.exe	94
PID 3336 wrote to memory of 760	3336	Bnbmefbg.exe	94
PID 3336 wrote to memory of 760	3336	Bnbmefbg.exe	94
PID 760 wrote to memory of 1916	760	Belebq32.exe	95
PID 760 wrote to memory of 1916	760	Belebq32.exe	95
PID 760 wrote to memory of 1916	760	Belebq32.exe	95
PID 1916 wrote to memory of 4356	1916	Cenahpha.exe	97
PID 1916 wrote to memory of 4356	1916	Cenahpha.exe	97
PID 1916 wrote to memory of 4356	1916	Cenahpha.exe	97
PID 4356 wrote to memory of 1928	4356	Cmiflbel.exe	98
PID 4356 wrote to memory of 1928	4356	Cmiflbel.exe	98
PID 4356 wrote to memory of 1928	4356	Cmiflbel.exe	98
PID 1928 wrote to memory of 3692	1928	Chokikeb.exe	100
PID 1928 wrote to memory of 3692	1928	Chokikeb.exe	100
PID 1928 wrote to memory of 3692	1928	Chokikeb.exe	100
PID 3692 wrote to memory of 1904	3692	Cagobalc.exe	101
PID 3692 wrote to memory of 1904	3692	Cagobalc.exe	101
PID 3692 wrote to memory of 1904	3692	Cagobalc.exe	101
PID 1904 wrote to memory of 4968	1904	Cmnpgb32.exe	102
PID 1904 wrote to memory of 4968	1904	Cmnpgb32.exe	102
PID 1904 wrote to memory of 4968	1904	Cmnpgb32.exe	102
PID 4968 wrote to memory of 956	4968	Cjbpaf32.exe	103
PID 4968 wrote to memory of 956	4968	Cjbpaf32.exe	103
PID 4968 wrote to memory of 956	4968	Cjbpaf32.exe	103
PID 956 wrote to memory of 3156	956	Cegdnopg.exe	104
PID 956 wrote to memory of 3156	956	Cegdnopg.exe	104
PID 956 wrote to memory of 3156	956	Cegdnopg.exe	104
PID 3156 wrote to memory of 1760	3156	Dopigd32.exe	105
PID 3156 wrote to memory of 1760	3156	Dopigd32.exe	105
PID 3156 wrote to memory of 1760	3156	Dopigd32.exe	105
PID 1760 wrote to memory of 2584	1760	Dhhnpjmh.exe	106
PID 1760 wrote to memory of 2584	1760	Dhhnpjmh.exe	106
PID 1760 wrote to memory of 2584	1760	Dhhnpjmh.exe	106
PID 2584 wrote to memory of 4424	2584	Dmefhako.exe	107
PID 2584 wrote to memory of 4424	2584	Dmefhako.exe	107
PID 2584 wrote to memory of 4424	2584	Dmefhako.exe	107
PID 4424 wrote to memory of 2336	4424	Dkifae32.exe	108

C:\Users\Admin\AppData\Local\Temp\79b8379b9f44ce830e9cc91da3928e50N.exe
"C:\Users\Admin\AppData\Local\Temp\79b8379b9f44ce830e9cc91da3928e50N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\Bjmnoi32.exe
  C:\Windows\system32\Bjmnoi32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\SysWOW64\Bagflcje.exe
    C:\Windows\system32\Bagflcje.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\SysWOW64\Bjokdipf.exe
      C:\Windows\system32\Bjokdipf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
      - C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3888
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2336
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:560
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4436 -s 396
        28⤵
        Program crash
        
        PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4436 -ip 4436
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Bagflcje.exe

Filesize
368KB

MD5
f30283dbc33a4fa5f45095cd3f25ef2a

SHA1
733606e966ddb01a992d64553c9c98507f9bb296

SHA256
f7013a0f54eada502f8a5c63b2a3daed1b13fe898fd8a0a877a28eefecbdf0a0

SHA512
5d62beb5fbac04e8ea4cef4e27dd6893667826851fdc16a2cf1d62257f97798accd32ab2d05e965b0f5f0bef0582c7b13b08eaf9386ba40aee5c5cd50581997f

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
368KB

MD5
5854970df19ff8b989e605daa5994df7

SHA1
a9891eb4473474659f0a85d81aa60551d0a77c80

SHA256
354782211f8a5ecb9117f6077deae437e5a8db906a147a9183d41e7694d1f5c9

SHA512
bd0f9dbfda22dd6daee275beafab6dd77a2256515a4ddd331e6d0b5f7e3d402b16a2b1eb86b6fc865d439acbfcca98c1d3241f7543d4cb6c15081d0164bf842f

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
368KB

MD5
65027b6a67b1a9652dd86e85e74a2b7d

SHA1
d1d63795d80b832d796d878376b67022ca22a5eb

SHA256
4940adfc89098fe707a7f215eb9bc21bfece1945bd9d5568a636cc5eea9938ca

SHA512
70fdb8735bb089b6fcd37a3156a0f61a6e342f5fbf1acefd6888f3827d275183b69da588135da19f6110bb25ad7c802a55975859f619d08ddf54ba54947a72b9

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
368KB

MD5
222b36ab4a8bb6e6eef9d5e8b978347c

SHA1
8830fffd79d7236114c42448757dad17585b7493

SHA256
112bb044e9d46baa66010f7b53b08a749896cc56b6d2e22ce14f012789d6c85b

SHA512
7d9590ea39cb81af09c4121c46a90b708781599d022de44dd6326703b9b611883c8731fe5c357fc138f0da93ac903c759a0b7c2aaa4ada2229ddb0540f5390c0

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
368KB

MD5
3e6f2485e0f50751b2c4fa70820946fe

SHA1
b1f794b93b01597dfc135e7adfb798b155c6fbc5

SHA256
cb922dbfd41ae8b76034d56095dd0454ae06632dab91a68593506a094afe4959

SHA512
a6f8396ca9b7b2356c10bd523c2448c80ee62cfce20047c315a085fd738e79f1fdcfcaf7132a52e6721531f0565197f0432789302c19504c8e775242e4cd0088

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
368KB

MD5
99fa2b4c8b21808665ac3396d307d416

SHA1
d059dd389835eac414da28f5458fd6ebd38b1a85

SHA256
809ed95ccf980022055dc95401e13617b851012dcf5985ec3692b58ad83a80b7

SHA512
5eec6b2eb95bab302b6a0b288f1a3ade151c6455952529e67e9dea3ebdf716283a10f2cc62329058f4cc0fdc7187892d193b091b579553098e25c72a163495e5

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
368KB

MD5
829e251f9a604fb5bf5b89a8d375ce4b

SHA1
03d9b76d56b61be3c4c602c2d77218f7b8018087

SHA256
f85ce5010e8abe159af04034775ba972a7b9b699e294cd7336d78130772e95a4

SHA512
5b320b96b2ca814732e97c226ca2c92a5672ca2f675af04d84a4d6bf6bb0599f6987bdbe7623ed0225463eb47905afe97aedf8a90b2848cdc0dddb336996e5ba

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
368KB

MD5
34502a1365e125887f30624893121f97

SHA1
2e12d38fad07577b2980e65ff130f7a742fa6aa9

SHA256
9a98fb6ee4a20c1f02cd8bd699cf6b22576631f1dc1a2f27fdd38f7179ea4d7b

SHA512
3b982f784b843fc86e7f26e3c429fed9ad6db1b455ce0735f6b89a33dba43757628f5608b5fad429574aa571686aff7c68536d3e7a0aa48144072eb6bc21c84d

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
368KB

MD5
7a077e431bdd3a7143d98cd564acdeb4

SHA1
00cb75840033918521f373644a4cfcd68f46a4f1

SHA256
83f4405def3a187d66fdf602c9f5d03892b7ef7a08f90d80845091fae8514efe

SHA512
a7d391e1112474e78475612541619664625dea9e26cc9178e692848fa429b5a9959790b6aad072fe8b5cd9e7ef2dc1ed9991e07ba886f5352e8271e306fa1e5f

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
368KB

MD5
0f79520f9bebe421f0132de6e3c0688e

SHA1
dca07644f36fa227f76f757516f72c59a586e76b

SHA256
cdf3260a95412ef11734bfa347d7602d76a3b99f6d7048531bc70d2ff50a8634

SHA512
3a075d0dc2876c05af874f69bc8203d037ef82265db81888dc1e1fd3ec36983f8e74bcdcbc0c189977a2cdcbf0d0121034b37a954223c89e7f5cecfb991c9adf

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
368KB

MD5
98056d2089a0f5bfc83827ddf23cd09a

SHA1
6fa4c1995969a2aec419f951610fff52164f7be6

SHA256
d531033466c99bfde8a51243104ac88bfde393c1d38a591d62df8abc86962f92

SHA512
62824eadc1e6e80931a6511365b09d8dd8eb59eb3706caf667f28363f591e494df35ed20c17ff6c3fdd85a77d63a860bc74ed04f85d353b60ed3ac5d77bc543d

Download Submit
C:\Windows\SysWOW64\Cegdnopg.exe

Filesize
368KB

MD5
ea53c52db1c248695266b5e8bf87c5f1

SHA1
12a3edb7ddefaeb8862439d5404adb47936c8848

SHA256
a2ce56c4f6908d04f118aefec11b5be07ed8f81b2d4bfc37b5781532a1680797

SHA512
7e9b4404893a4af0e92bb4de6c98462ca745d5f3c0159277bae2443a7846a28de22cdd38a0f246f9774aeec7026aca241836fc7dcae11d34d34f6da7959fc649

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
368KB

MD5
a1312534833a0746ffd631e002f6c359

SHA1
3de8d8c1e2fd0889152a74e9a6d2d98c27e73a9e

SHA256
dbd3762ed34f7678be579d05af106537e6c08f9ba41528dbb913002660b66708

SHA512
5c82386ce0cdd18b33e3639e274d112f486617d3a00e7cb9d2013132de15996b66bf039379eb66ce1af1a786c21fc31e9e806bb263dc387416e58427ff669c61

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
368KB

MD5
b96331219d17cf3c89b0f394bfc2bc8c

SHA1
510d6525168a02f0dafe111bbcc61c141f443c6d

SHA256
e0446f47bad436f8d8b561cb65ea69a19ae9bf32ec677f8f442a8f9fcdecb322

SHA512
ba96fc2df9d83edd0c6a7310c0380085a42cef376b095f1c82de1af00c0a3fcf4ce3be43ff7ee8616f0d8e4f9fdb82bb694ebe056df0a6abbf0ab137cf720235

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
368KB

MD5
d9337f2f826083a94033f2e5e057e9f2

SHA1
41ebd2346fb7915e4dc0e2a105ce32282652b5ed

SHA256
960184e47d3c926dd515ffa86f140f6f589c938237eb300cc4d0983921dd7735

SHA512
e7f0f6b2a4fd24fe89bb55758dfc3f3f08186d3454060982cd4f6c3e0fbc3fc356299ceff39cf3fc63f8c17540fb43e680dd9908d55916efeedc32fef9b1a0e4

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
368KB

MD5
ca9def28df48278aa6d27474ce76737a

SHA1
c2ee25a036629c05f7232debf11fde04c3c399b6

SHA256
5508c11549a292bbcdd20198733e3032dc98b516a8cbbdfa9317b5d041470a9e

SHA512
1cac853a49efe760f70c5e6b331cea9dc49e9e7c2c3e69c33ff53a428a2b93a75a7a13b6c247f645aee544e56f67e4ef1b0833f23b297acfe959bdc37734b8fa

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
368KB

MD5
ee8943fdf40859d1c5b20ee7709899a9

SHA1
397683203c3c67d366b4468c267cc584e82ae45d

SHA256
b42bc4f11fc940e419dd9d41469a9d2acbcc25ff353b8b2f1ffdebf72081026f

SHA512
ffd99a61f2c30ccce71c60272196ea6867478800af2a5576c409ace993cbe9e4cec4bc27ef492c97da08d718465e49c8be966bf9d1ad2e99c2d4c6ca94b588df

Download Submit
C:\Windows\SysWOW64\Deagdn32.exe

Filesize
368KB

MD5
a2bf9e59cc2f57c69daaf7c651169bc1

SHA1
2ec149be5c548435ba6c4a7f85469e2a85996434

SHA256
f191e81e093e0e13972eec09c58bfbc2926e5a1a99275045f08db2e711707cf3

SHA512
8c4ce3cdfeba4777951f16cae933877f6ec6af2da1acce578273553893a80877971fc66ff2f4019408152d095f08a2a29315a63c7f412616c7442bc84ea426ab

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
368KB

MD5
a2373a284fa155aa5670d0e032d15671

SHA1
95914c7fc60705bc98866b4dabe3d6f7b561bfcb

SHA256
1834425392682831e971cc18279cb1b27a5496c37591b216f816ce3a7d525cab

SHA512
6257890e6fe5f4372439ba644c0639357a8a10b3319044df5c4f331af6e7a858bf20109fbcf3f1d96f937ab595d3e29bcc5ce18a23eaa384c1c451d69a6e1102

Download Submit
C:\Windows\SysWOW64\Dfpgffpm.exe

Filesize
368KB

MD5
2d6685571167e3df43177ad451732fac

SHA1
3ff21061f3e52c1371412d7436e3ece4280430c2

SHA256
3e7d77810fc35b908373222237355bebfbd3d53be64b9ba614ca74ded902630a

SHA512
7e6afa2bab01a15939a79a625cc37754bf8197dcb22965867b6c945c54966b8c9539da97e467070d585dc05e5940fd9320f031f07fd9e56474dae48ebc0b9dd8

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
368KB

MD5
48d5063a3d730c73cfa74e8fd8c386ad

SHA1
6843b1b506433bea04c16bf69b900ba81cd0905c

SHA256
fe56d9b06f518d834214bcc886b2f762888052666e0e0aeb801ba0147f78e771

SHA512
a1de3ccc82cc87761e3340c66e0e49096775742813fc33261ed1090d943a635f7553caf0d501b26bfa86af160846ed0f2c93da8723dd68e50e4d1a8b6ee791c1

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
368KB

MD5
9c4b3cf09e64a0f5651ad0e09517100c

SHA1
c5e1b86fb2ec05bab12a785804553e5957d5174e

SHA256
a42b8bc3c4c7633461433e0e78940c63c3f7cc853ec0369b6002ab7da5d38005

SHA512
1343fdcff5d75d4e89c1be0696d1ef4f9fa8c3403318d45bb5651466ebb2bd16f6393d3a91818b906dc39ce20414c91840402628898dbe8589406d9a4f197c2d

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
368KB

MD5
9429c2651f10e9237da2bb725ab25c9e

SHA1
be00b801a6f290d529a5941335c0bdf15a67c97b

SHA256
130c0dd67692ea9e300df47eb8d37328faa8557b0dfbfce4251f759b3524c4a9

SHA512
71fe5d27428aaa84eabe330dd829aafe5f17772fb3ac539aba4803fb8571c690339681a4e1f0579c9f079de29df0365ec60619224a2b01f4973cd7713094916f

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
368KB

MD5
e6f7ff06f026ebf685eb5acb9924aefa

SHA1
2148fea77fcc4e1946b4337a199c21d0eaa77959

SHA256
a7fcc838a50301cd413f5c351f12dccd850952ddc5c5ff46ec16faf09d9ac918

SHA512
d9c259ef13fca56778647705190d101b92e683f3c70ba087fbaddda838a629f8fc61fdbbffbfceb7aa5c152809258f33d1adabec711cdd48ce48da0028071be2

Download Submit
C:\Windows\SysWOW64\Dmllipeg.exe

Filesize
368KB

MD5
204ee6acf2be339030d18a5328192f0f

SHA1
e529ed9f4930069e6f6238e4a732313b26ef81ab

SHA256
7666e6428409fec77906a38f272b8dec69cf9f5a69433c81272552fd3929c7ec

SHA512
28635e77323e2d28bc7626b11db1db0fea9f62daeb03608b8f28e598e0c1bcf2ec7c58ef942dee1723aff29c950a1a677528b45882c49937e2860a122caefe69

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
368KB

MD5
e67a0b7ef12bcaf5d2c158a114e85e61

SHA1
da44557b7cbb4e07b0703f8942d0e3c47ac85c85

SHA256
74c94d405384d328ac88816c3eaa36365ef7a7bb66a086a296c254b953980bea

SHA512
c5182d82bd7a7740486b3655c2d88da81e806086f4ff8450bdd696ba2d7125b41df75331feb57e86ffd4376aa31c5734516dc6ec2ff73465d95d0b06dde076ec

Download Submit
memory/560-198-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/560-230-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-170-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/760-82-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/956-227-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/956-144-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-143-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1064-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1480-72-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1480-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1480-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1760-162-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1760-233-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-216-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1904-126-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-90-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1916-179-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-197-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1928-108-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-231-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-190-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2396-107-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-234-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2584-171-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-217-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2648-228-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-125-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2720-40-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-207-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2988-229-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3156-154-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3156-235-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3336-161-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3336-74-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3400-17-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-116-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3668-32-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-117-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3692-206-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-65-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3888-152-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4136-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4136-8-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-188-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4356-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-232-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4424-180-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4436-226-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-48-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4728-134-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-225-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4968-135-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads