6abfd9126c5cf19ce6a5de9d07e1b37ff326c04c6f2fdda42ee60f715370f6f6

Analysis

max time kernel
114s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 05:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7961144f48e50585cb3861c44681ecf0N.exe
Size

1.6MB
MD5

7961144f48e50585cb3861c44681ecf0
SHA1

2ce89e4b45fc09815aed7709370be3a3df55d048
SHA256

6abfd9126c5cf19ce6a5de9d07e1b37ff326c04c6f2fdda42ee60f715370f6f6
SHA512

6654af8019298a0090643de22a89f0500f249db4aba57dd1056f6b64d7c2d41006c31cd052c4062213121e41e5f485a88849f9f9cb5801ba76bdcd6afd41d5e8
SSDEEP

24576:tS2BixNBJBixNBWVBixNBJBixNBXuBixNBJBixNBWVBixNBa:tfix7/ix7yix7/ix7Xcix7/ix7yix7a

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pnakhkol.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocbddc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocbddc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7961144f48e50585cb3861c44681ecf0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pnakhkol.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe

Executes dropped EXE 64 IoCs

pid	Process
1864	Ocbddc32.exe
1208	Ofcmfodb.exe
4848	Pdfjifjo.exe
2240	Pclgkb32.exe
3640	Pnakhkol.exe
4996	Pqpgdfnp.exe
4856	Pjhlml32.exe
1832	Qgcbgo32.exe
2204	Anmjcieo.exe
3196	Acjclpcf.exe
2888	Aqppkd32.exe
2860	Agjhgngj.exe
4100	Aeniabfd.exe
5036	Aglemn32.exe
4256	Ajkaii32.exe
940	Aminee32.exe
1056	Aepefb32.exe
1380	Agoabn32.exe
4120	Bjmnoi32.exe
2800	Bmkjkd32.exe
920	Bebblb32.exe
4612	Bganhm32.exe
3972	Bnkgeg32.exe
1676	Baicac32.exe
4380	Bchomn32.exe
4384	Bffkij32.exe
5000	Bnmcjg32.exe
1100	Balpgb32.exe
400	Bfhhoi32.exe
4972	Bnpppgdj.exe
4912	Banllbdn.exe
4336	Bclhhnca.exe
4592	Bjfaeh32.exe
3516	Bmemac32.exe
2404	Belebq32.exe
1712	Chjaol32.exe
4984	Cndikf32.exe
3980	Cabfga32.exe
1640	Cdabcm32.exe
3468	Cfpnph32.exe
2372	Cnffqf32.exe
5040	Caebma32.exe
1204	Chokikeb.exe
1604	Cjmgfgdf.exe
4812	Cmlcbbcj.exe
2256	Cdfkolkf.exe
4804	Cfdhkhjj.exe
2596	Cnkplejl.exe
1384	Cajlhqjp.exe
4132	Cdhhdlid.exe
4704	Cjbpaf32.exe
1580	Cmqmma32.exe
1756	Cegdnopg.exe
4372	Dhfajjoj.exe
5152	Djdmffnn.exe
5196	Danecp32.exe
5236	Ddmaok32.exe
5276	Dfknkg32.exe
5316	Dobfld32.exe
5356	Daqbip32.exe
5396	Dhkjej32.exe
5436	Dkifae32.exe
5476	Daconoae.exe
5516	Ddakjkqi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ocbddc32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Pclgkb32.exe	Pdfjifjo.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Llmglb32.dll	7961144f48e50585cb3861c44681ecf0N.exe
File created	C:\Windows\SysWOW64\Qhbepcmd.dll	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Pjhlml32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File opened for modification	C:\Windows\SysWOW64\Ocbddc32.exe	7961144f48e50585cb3861c44681ecf0N.exe
File created	C:\Windows\SysWOW64\Pclgkb32.exe	Pdfjifjo.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Agjhgngj.exe

Program crash 1 IoCs

pid	pid_target	Process
5844	5756	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7961144f48e50585cb3861c44681ecf0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pnakhkol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjhlml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pclgkb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocbddc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7961144f48e50585cb3861c44681ecf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7961144f48e50585cb3861c44681ecf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7961144f48e50585cb3861c44681ecf0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pclgkb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	Pjhlml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdfjifjo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7961144f48e50585cb3861c44681ecf0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 1864	232	7961144f48e50585cb3861c44681ecf0N.exe	84
PID 232 wrote to memory of 1864	232	7961144f48e50585cb3861c44681ecf0N.exe	84
PID 232 wrote to memory of 1864	232	7961144f48e50585cb3861c44681ecf0N.exe	84
PID 1864 wrote to memory of 1208	1864	Ocbddc32.exe	85
PID 1864 wrote to memory of 1208	1864	Ocbddc32.exe	85
PID 1864 wrote to memory of 1208	1864	Ocbddc32.exe	85
PID 1208 wrote to memory of 4848	1208	Ofcmfodb.exe	86
PID 1208 wrote to memory of 4848	1208	Ofcmfodb.exe	86
PID 1208 wrote to memory of 4848	1208	Ofcmfodb.exe	86
PID 4848 wrote to memory of 2240	4848	Pdfjifjo.exe	88
PID 4848 wrote to memory of 2240	4848	Pdfjifjo.exe	88
PID 4848 wrote to memory of 2240	4848	Pdfjifjo.exe	88
PID 2240 wrote to memory of 3640	2240	Pclgkb32.exe	90
PID 2240 wrote to memory of 3640	2240	Pclgkb32.exe	90
PID 2240 wrote to memory of 3640	2240	Pclgkb32.exe	90
PID 3640 wrote to memory of 4996	3640	Pnakhkol.exe	91
PID 3640 wrote to memory of 4996	3640	Pnakhkol.exe	91
PID 3640 wrote to memory of 4996	3640	Pnakhkol.exe	91
PID 4996 wrote to memory of 4856	4996	Pqpgdfnp.exe	92
PID 4996 wrote to memory of 4856	4996	Pqpgdfnp.exe	92
PID 4996 wrote to memory of 4856	4996	Pqpgdfnp.exe	92
PID 4856 wrote to memory of 1832	4856	Pjhlml32.exe	93
PID 4856 wrote to memory of 1832	4856	Pjhlml32.exe	93
PID 4856 wrote to memory of 1832	4856	Pjhlml32.exe	93
PID 1832 wrote to memory of 2204	1832	Qgcbgo32.exe	95
PID 1832 wrote to memory of 2204	1832	Qgcbgo32.exe	95
PID 1832 wrote to memory of 2204	1832	Qgcbgo32.exe	95
PID 2204 wrote to memory of 3196	2204	Anmjcieo.exe	96
PID 2204 wrote to memory of 3196	2204	Anmjcieo.exe	96
PID 2204 wrote to memory of 3196	2204	Anmjcieo.exe	96
PID 3196 wrote to memory of 2888	3196	Acjclpcf.exe	97
PID 3196 wrote to memory of 2888	3196	Acjclpcf.exe	97
PID 3196 wrote to memory of 2888	3196	Acjclpcf.exe	97
PID 2888 wrote to memory of 2860	2888	Aqppkd32.exe	98
PID 2888 wrote to memory of 2860	2888	Aqppkd32.exe	98
PID 2888 wrote to memory of 2860	2888	Aqppkd32.exe	98
PID 2860 wrote to memory of 4100	2860	Agjhgngj.exe	99
PID 2860 wrote to memory of 4100	2860	Agjhgngj.exe	99
PID 2860 wrote to memory of 4100	2860	Agjhgngj.exe	99
PID 4100 wrote to memory of 5036	4100	Aeniabfd.exe	100
PID 4100 wrote to memory of 5036	4100	Aeniabfd.exe	100
PID 4100 wrote to memory of 5036	4100	Aeniabfd.exe	100
PID 5036 wrote to memory of 4256	5036	Aglemn32.exe	101
PID 5036 wrote to memory of 4256	5036	Aglemn32.exe	101
PID 5036 wrote to memory of 4256	5036	Aglemn32.exe	101
PID 4256 wrote to memory of 940	4256	Ajkaii32.exe	102
PID 4256 wrote to memory of 940	4256	Ajkaii32.exe	102
PID 4256 wrote to memory of 940	4256	Ajkaii32.exe	102
PID 940 wrote to memory of 1056	940	Aminee32.exe	103
PID 940 wrote to memory of 1056	940	Aminee32.exe	103
PID 940 wrote to memory of 1056	940	Aminee32.exe	103
PID 1056 wrote to memory of 1380	1056	Aepefb32.exe	104
PID 1056 wrote to memory of 1380	1056	Aepefb32.exe	104
PID 1056 wrote to memory of 1380	1056	Aepefb32.exe	104
PID 1380 wrote to memory of 4120	1380	Agoabn32.exe	105
PID 1380 wrote to memory of 4120	1380	Agoabn32.exe	105
PID 1380 wrote to memory of 4120	1380	Agoabn32.exe	105
PID 4120 wrote to memory of 2800	4120	Bjmnoi32.exe	106
PID 4120 wrote to memory of 2800	4120	Bjmnoi32.exe	106
PID 4120 wrote to memory of 2800	4120	Bjmnoi32.exe	106
PID 2800 wrote to memory of 920	2800	Bmkjkd32.exe	107
PID 2800 wrote to memory of 920	2800	Bmkjkd32.exe	107
PID 2800 wrote to memory of 920	2800	Bmkjkd32.exe	107
PID 920 wrote to memory of 4612	920	Bebblb32.exe	108

C:\Users\Admin\AppData\Local\Temp\7961144f48e50585cb3861c44681ecf0N.exe
"C:\Users\Admin\AppData\Local\Temp\7961144f48e50585cb3861c44681ecf0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232
- C:\Windows\SysWOW64\Ocbddc32.exe
  C:\Windows\system32\Ocbddc32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\Ofcmfodb.exe
    C:\Windows\system32\Ofcmfodb.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\Pdfjifjo.exe
      C:\Windows\system32\Pdfjifjo.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\SysWOW64\Pclgkb32.exe
        
        C:\Windows\system32\Pclgkb32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
      - C:\Windows\SysWOW64\Pnakhkol.exe
        
        C:\Windows\system32\Pnakhkol.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\SysWOW64\Pjhlml32.exe
        
        C:\Windows\system32\Pjhlml32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2204
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4256
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:940
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:400
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4972
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4592
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1604
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2596
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4704
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5152
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5196
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5276
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5316
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5356
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5436
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5476
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5516
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5556
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5596
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5676
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5716
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:5756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5756 -s 396
        72⤵
        Program crash
        
        PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5756 -ip 5756
1⤵
PID:5820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
1.6MB

MD5
db62cd213fcc1693bf56baaf70f4e415

SHA1
19dc18ba7fb4acfa8ac91a40072a21a66b1a578e

SHA256
224afec2c137fd847a41d9756f88b0bb482ef30b9ccfa3a7e8398ba0645887f7

SHA512
2e32c798a523e4c2e575fc3a4af29819b1ca98128e6c0dd8283b4cb445147780c0ddb1ab20b3b917e7bc32d61dd895db4a542f014f7a969a49fc0ba3d95fe3fb

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
1.6MB

MD5
169bebc16e5dc9bf8961a43559bda5c4

SHA1
989eb0e3cfc5ad293adf05cac0071a6af62c58c6

SHA256
c60979081719f5030b946121d578d828390ac2dfbca9dfb6bc61ca1bd9a5aa7b

SHA512
2bfb5c33a64549737251e63568cf295fe3fce3fc0030cd87634cbaec600cffeabf85bc993768c05aa81c517d6e698437914cb1a341c7a7f23fa02ece50668c82

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
1.6MB

MD5
f9ccf800284c67dcf6f82548a6e1bed3

SHA1
3dc4e33418778c730f196b5751094f74b06d111e

SHA256
f7298791946fb8ef308f76b98bfc32dfd37e2cf441e6c5e1ba52a82dbbdece08

SHA512
d0ed29ad2522d075e7a2346ffc1a35eb30b4282c0f0c02629d419021053e50208db502f8abd6e42e991a480ad47e472993d46dfe96ae13fc6abfb60f4aef5652

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
1.6MB

MD5
7c1cf048f57c4ae961198cf81c2b5023

SHA1
50a07b08a1d816f537812950acac0bd721c9424f

SHA256
193736688aade79e796793ac7151e04b4b5dc7381e5093d6d7f9319275185144

SHA512
043d3110afab9cb86698cbd709446292cdf566de9b9545edd5ac535844c1904a1d1399be1d4c2913e7f52bf1b463b179a192252241b9bbfddcaaa704fc36eb7b

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
1.6MB

MD5
08bf2f176f118762cd0410c461366501

SHA1
7054c5ec50b817cbcf4c71c677e4f8a607a8d397

SHA256
8cfed60b3196a8470f5ba0738c3944006e0e9efaaad2b8354fc8247eb6627b18

SHA512
bd73bc6a274b93a9ea951fc079900c237eb5ab3f6f54d37cbba5b98009a20fe296d307de0f29c90413104e266d8a1f4519a9d9b2845e11a06876e0f1f12d8e94

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
1.6MB

MD5
ad9f9dfee3bd331e9b1a60c2a15cbeda

SHA1
42a316bae861331544ac511651407bb15f54c0af

SHA256
85205cd6f765c59bbb9f3b42c86765dcf55e1badf8ff15113c6ddfe8e20785fd

SHA512
72cb06ca1f2fa9a0ab18eae53a247820c39460096cfd044fc8d1a481eb823a48e4a604bc7553ad11c082f75b56dbc80a7e1ef9de71b7cca4ae0ea97df907cff0

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
1.6MB

MD5
f09c33d96d2dd9986a4e13f4ca1b1c91

SHA1
9b16242fc26c3aa371e3c0655f91d701e50ab144

SHA256
08449ba7b154f8d969c8648a8d862084d227397368351f391fce50430b65de75

SHA512
eca6aa2bd0c2d24afd5004ffb0a38e87b13ae153d24bd2c7291ed9202fa71543da3161fe718c4a7acbc242326de9ef17906300302d40b61ae68845e3dfbb1ba6

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
1.6MB

MD5
5d4ab27a91ec239389a4afc85beae2c5

SHA1
43bcc3d57321f6546f9fa6cf20411ad84558d576

SHA256
6778e3d866cbd09781cb258912380bfd377cfc635d426292fdc24e1c75fe5e41

SHA512
ad729ce0296ed023957d691f5437da5f21cb2984442271cabbb9a06035a6d2a2fd4d52c20dbf9eb103ecf923ec8fadaebf31038320d88bfa991d65b7f1d3b34d

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
1.6MB

MD5
20d1b2c8957dd0d8157398554edb1a2c

SHA1
5f821aa64724538b847c3d7d21371f4949dbdc82

SHA256
e23d246e372732d8f1de21754cbadc863b24dc313a6906926753125690bde944

SHA512
f4646f59d22301a10ac3b965c84ebc51994884964b19304f68de2d6069c81bc1166c5955bf2e6a04bf05c9508f326cbf488b01de99bf6dd3ad3fa8ecb4db5074

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
1.6MB

MD5
434c9e9c8cabd76e8264b300b137ff9c

SHA1
8d4e1cf5ba52f7d228fd67c408b52727439f06fe

SHA256
277934b2458c50b6a3e08f3ae2404f167e9b51fa0d769ffe97a78fda42e1d1ac

SHA512
40ab21616365386a2f8236424c9897170b65bd1af857e28a9ac99e0f74a7f5b514d857e42ae8ecc83eb1e40ad710a4e921590b7c350f9819682168453eaf1b21

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
1.6MB

MD5
1f0a3b047f9b4a2aad65a1f3296c0581

SHA1
f2b2cd34f8b223dfd776bb0e3ece05f335af0e40

SHA256
a2c5cc732d4316f8da2d82d1935edf71a32c7395ab7eb6b40cb87ba4c73e7f74

SHA512
71685628ace01e3c433144fa12e6bf0bc190debf10934d0e69e1ae7eb53910ea936c1554a7ddcaea176082e7540687b6047c105d51c8b76b7bae146b274ef4bf

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
1.6MB

MD5
1c08fb211ea824cfc508a8c2b0be0d1a

SHA1
f0ee98679660761ed0db71f41f1ed5064c2a8258

SHA256
43726a5ff8efb9e0f0300c707aa090dde818c5bcd929a52fadb592064c6e5319

SHA512
ea4766c66f75eab07c9bd9d2406be8b98d56af354f6ad2e625f3fce93d88491cf0970a0d26ba5b0ed6215a2eff2d357b66d1adfee10fc875eb64cc400d36eef2

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
1.6MB

MD5
3a7afcae9625f6bd92f640652214164a

SHA1
7605d9890090143dd826709024c19277890ad525

SHA256
794addbee492b4c1bec9191e81a180adafa5f41279c6a559c092b2834f7bd9d1

SHA512
e6a40d9c7924d685dbb9fa21a9bfc420feb68f224372392f3cd85fd09fddb9bd08194c2668fa65bab38481204f9e3c78b324421286b7d83e67b32fc92cdd69ed

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
1.6MB

MD5
33ec797b873a11d49556816d7d7a6c8c

SHA1
f4cfc2abee0d94069c389a154a1855dfec42a889

SHA256
7b8973c648a4c241a7be3f032113dc4c3eeb6343ea9d517533cbefe7e48c1b6f

SHA512
909ceb0d1c36b20df93afcb0cbd7f5edeae5c83189b7ca2779b2d90b3ec1ae2721a6446e104e03271ac81f578bc2314c637a5ad07cb7bcc10ca8268270b21ffe

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
1.6MB

MD5
309ec25b348db1bda8c2df48b219f386

SHA1
9310c95a23a483a5a4c5773eb5248c92bf5e000a

SHA256
51d711d2df8e34b007d6f22d659c755a634fe365f957dfca27e2c7e6d08b1d07

SHA512
7b5a1b33c600af301ac4f3d37a502d73b5e7a0eee7b67cad4c9111f160fa9dcaece064989fa05f147cd27dc153a4a1b27a28e721bf895e77f9e6ee2a3c6ee80c

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
1.6MB

MD5
12c4e9a6bfb1dbb223300bcf07ac30eb

SHA1
ec9658f247d6143a354cab4bbb1e8414fe26d6f9

SHA256
9328b3600489f843c5fbac1af4bf5f6a7a146416e2057c9ff8a18d3d8b4defcb

SHA512
d8ab76ae968a17031db90515439eeb821800cf47eacf6a7f5f98d8ced72117be37a88046edad4a0312c437a35e11650d8e8f9960375f02592127e98714c19f26

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
1.6MB

MD5
4567879ae19ffcccfcf5963bd1ab2cfa

SHA1
6848e82dde85f37df2ef91f96c5d4dfe098cb808

SHA256
f26b8ba2598c59e5eaebdac643ee945f80556e56b616e6fb62c2d035f11108d8

SHA512
81338d451a92277e0a3c2930949cdb3ab38dbf3bfdc2e42117a15634f711af48b88f556f3242a78a857df5ebfa0a81ace7ce14eeab5914222e36ec6936778218

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
1.6MB

MD5
668b8d98cf3de551eeaf06accd2f046e

SHA1
567a45b8711fa71c63ed9fc58960458262503e13

SHA256
152230b825093d3684a6861d41288a7cb491c734795a6ef7fa1c190f05dda373

SHA512
7cd8b53a1069383508757be7fb66278609b5defc59595cd4f7d9d938064ea1d1bb807697401b65e4b450d78696259ea5bf35718cb1b324af6f08a53d274b52a0

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
1.6MB

MD5
6233f184ba267188c82189c5ddc087a7

SHA1
746f5d5922cd16662390642f0bbc28234d863c71

SHA256
663bde53ef85fd4b3726a09168dd6cb982eee017aa69e98d7e1b31d5681e00ec

SHA512
2464c23a8f97be3617ba68e92a216be9e94e9ef928a32fef197cfdad90249c70c68661feec57525cd339433c0fa0f86b36f5034c2a027f7d86c4604671584075

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
1.6MB

MD5
c736f587e4a6668d32bd7874237cdab1

SHA1
579acb409c5cb3a54a039140dd753677524ab3a3

SHA256
d0a53c082640d835a3f8ec0b40555434b30ac737da6d35f648ea023181640bef

SHA512
4cad3fe70e693a473e388df1f60647accbb7b8064d6ccf72931624ae4837661e18d10a9eeb9f3870f1d0079d29f34b870a0bcd331fb6c15f8747d452d12f3bd9

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
1.6MB

MD5
b7039a11711a5149cdd4374e3a82920a

SHA1
9eac1861f142cdb5ccb45f68f82bbe5491f57702

SHA256
00f8033c6e55c22917fdccdae08c173784d8253b51ef5efcf2d19ba881664cfe

SHA512
c2f86d521f48dc590f751b5d9f25d67a524e63127ac0d7846ca5da2ddf7b4552f3e46552bce1a0577089378e3711185ec72719bc19e9ac2cc7d39f0cb6e2c6f9

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
1.6MB

MD5
a0fdb06ddc16850b551ef932d379a2a8

SHA1
451b1ad0179d4e531d9105f17d25805236c29e82

SHA256
2cc41fd82a8fbbbd37d0ada243ea19cdab0dbf52724cc6148493a1fb1134f1d5

SHA512
7291c6407656b626029cc3a2f8bd9ae1eda3e9ac29cf8386ba7d256622206d46aef213b6bdba24ee84b55a8ba58ec35bab2f849c540a8e783da418c285409bdd

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
1.6MB

MD5
c911bc927d11264d4c71f3d7b6fe75ba

SHA1
a70f51b7bbbf083a3fad226b1034edcc64b88ac2

SHA256
d4c8e53df1a19f0e8ccf712912434a380eb46f90b9851fbe7c42d5bef6485c46

SHA512
6b03c7f813924fdeb5a5f39adf1e924c6009267b1b4ca007e0bc48d75a547b5a19e2bdedc144caafe118b4c21ac2d7769ea01cae70016de2faf0324ac1e661a8

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
1.6MB

MD5
0c7f476d81cfbd163ea68766d7e34b3f

SHA1
f47c691498c82c85dc4b797f0b42167aee6e1fb2

SHA256
b3e4e1b04847bc4467f8f9a31e879aadc1cf3e8fc58d76fda2d16c998663e268

SHA512
c121699ad4ab870070e204634ec4bd0f011b5c004c8655952d2d793e5e81a752209679dfcc3b71c74f920626ae59bea180fdfbc104bbf3cb1e4ac11defc2a5ec

Download Submit
C:\Windows\SysWOW64\Ocbddc32.exe

Filesize
1.6MB

MD5
6a5de03c804ac2707a4b1a5fb52b1fe2

SHA1
5b4eaa54f1ea048c7a2a0ff95fc01f74722e68af

SHA256
fcc54b12bab4a7612007f113d455c3d56d8503952008b04b0da5d2a3a5f97e84

SHA512
c3ded4ffc03b5dc82642ea7173fc05397b7ec79edd9896cea0227670c66c317d07aee43e142e737b3d45a6b84f09c60d09d893b4ce64d8636dff47aa4040e76f

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
1.6MB

MD5
e73e2a87150e79cc4b97566cb2dd46fd

SHA1
3e5201e0d7f7007e2355a88a737b71887ac4a1ac

SHA256
85b36c26058ae9239872eef3b4cb355b5416eec5b112b39004914fab277f8a60

SHA512
4570ba70abcd785bdd814414f9d18a3cb9d0174cfcc7ab2d82fa7f28224729f0805b793fb613dabf620a1afdadbd1c37aabc080395fae388c725283d63e458f5

Download Submit
C:\Windows\SysWOW64\Pclgkb32.exe

Filesize
1.6MB

MD5
485cc876a081f5144123cfc474e460eb

SHA1
9ef954cba8877e5c3783794bedf1d7b109124a02

SHA256
aa7a37b30f4c2c2ebe582ab2c610f3f076830a9446865ce5ea585a7b25ed6090

SHA512
74878ee054bcbd779b9d722bc473cd9a5b618947cf1f059615f8597a5da852586ecafcc283d939dde20a8ed34e5ec9ae8ee769420826faad721d838d56a64d98

Download Submit
C:\Windows\SysWOW64\Pdfjifjo.exe

Filesize
1.6MB

MD5
f22245e616c79cb507726fbea53cb7ca

SHA1
98d0d06e98e08e79654f1f082af5e63e0f0a2902

SHA256
2a7bcec107db85e63ff572ba0d165657061c2f41a8c6403c8f13977b541a7d64

SHA512
ff5d85f1347cb3b553005704b4ea596ab8cbb0e335d8f50648884cd2d21c4420efaad22c5db3233f257b29f8cb8cfb3ab4d6580b9b3f34afbba8bbfce5d17d97

Download Submit
C:\Windows\SysWOW64\Pjhlml32.exe

Filesize
1.6MB

MD5
0cf5d946668165abfbb099d3dbfc24bb

SHA1
4ac7a7b5b7a87f51ba3880f61b7a2ac5d7cb582f

SHA256
a90c53cc9984ee89a49cabd697beda1a780ece10865a0aa518b4cbc476c9778c

SHA512
5e824dc2a540eb1b6fe77de64a444507a25b11af4b82b6097f2201d365ba6d59bdd76c75a206294d94bbde972da8a9299d741b409aec444a33656162600a5ce4

Download Submit
C:\Windows\SysWOW64\Pnakhkol.exe

Filesize
1.6MB

MD5
57c0473943c84d20027a3f35e9714fb2

SHA1
eaccef4972f1ffc554b2826f54b7c1e7d1f53f17

SHA256
70ec3eb2e1d41f2d9f4ef1ea9026e1e5b5b6b783d7a77e5ea7ee3f246ba76090

SHA512
04b999324c8e409af08ec495f62731d44370931d2995b8ed53caebbf1a9a9c9753c46f21d53127f7b43bf257945e9ca659b90d5644b86113acf59e65871c73fe

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
1.6MB

MD5
69a3536d810fe272ba89b0cacdd23268

SHA1
dc9b21385a61b67b39b425a900b8dbd69fa4d93e

SHA256
d57b845bc95569cca91f0eb319be4ac4d596b60976e89631a9c079fdb20967e3

SHA512
320ce1549991d6fdcb887eba6fc39df6147e4ba0f65508d6f2fe418c794cbd7dafbe704b0c00728c7f77df85c2d4a71656d5e430d56d63f13295026c6f516ebd

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
1.6MB

MD5
0dd068305bb20d3c86f573971eee1c4f

SHA1
8836663ec67cf2e67c693874d0cf77e6fce0f618

SHA256
2e2c972d175367a9252ae52e5a365f510817d2c3ec5d02ab969b5fb929b08f1b

SHA512
c90ee46de76e12b15cd4fe3ba8c95a2fcb2aeb01ebd647af08df6f7754da453e36f6efb358784a5bac1d5024798439db865d6651c7e10565f3b4064f07f4efee

Download Submit
memory/232-568-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/232-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/400-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/920-173-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/940-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1056-141-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1100-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1204-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1208-564-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1380-149-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1384-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1580-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1604-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1676-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1712-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1756-393-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1832-553-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-566-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1864-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-551-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-560-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2372-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2404-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2596-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2800-165-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-545-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2860-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3196-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3468-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3516-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3640-45-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3972-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3980-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4100-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-157-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4132-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4256-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4372-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4592-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4704-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4804-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4812-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4848-562-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-557-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4972-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4996-556-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5000-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5036-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5040-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5152-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5196-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5236-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5276-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5316-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5356-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5396-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5436-442-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5476-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5516-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5556-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5596-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5636-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5676-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5716-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5756-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads