06854b087060e6e39a4f9a0e11c3e48bed107c0b281ceb8ebc92d1291c8709d3

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf29c1138345c8ae4157db75fd0358a0N.exe
Size

64KB
MD5

bf29c1138345c8ae4157db75fd0358a0
SHA1

df72bb5f0e0bded1c498fe1d851ffea2a253a230
SHA256

06854b087060e6e39a4f9a0e11c3e48bed107c0b281ceb8ebc92d1291c8709d3
SHA512

5333d8f2941ec0adae8d5b1d7b242bf08ce357138379f35f382ad0684a04c075f910fe67f1f46fb87e385212e559647cb950829fa7f8b3c38bc14e77b73a6dac
SSDEEP

768:zeqIKSfawYgqPVFSEZXoL746pGDBifgDpPGieffm41dRcKt6kdviD/1H56j6Xdnv:aqI3SgAcao3LSNpPLeffldTuR5ZuYDPf

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	bf29c1138345c8ae4157db75fd0358a0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe

Executes dropped EXE 63 IoCs

pid	Process
3164	Andqdh32.exe
3132	Aabmqd32.exe
8	Acqimo32.exe
3636	Afoeiklb.exe
2384	Aminee32.exe
620	Aepefb32.exe
2132	Accfbokl.exe
1296	Bjmnoi32.exe
1508	Bnhjohkb.exe
1472	Bebblb32.exe
2244	Bganhm32.exe
4468	Bjokdipf.exe
1176	Bmngqdpj.exe
4272	Beeoaapl.exe
4736	Bffkij32.exe
4520	Bjagjhnc.exe
4612	Bmpcfdmg.exe
3672	Beglgani.exe
1356	Bfhhoi32.exe
948	Bnpppgdj.exe
2472	Banllbdn.exe
2652	Bclhhnca.exe
2900	Bfkedibe.exe
1164	Bnbmefbg.exe
4308	Belebq32.exe
440	Chjaol32.exe
4452	Cfmajipb.exe
4160	Cjinkg32.exe
3376	Cdabcm32.exe
4600	Cnffqf32.exe
4048	Cmiflbel.exe
3488	Chokikeb.exe
4164	Cjmgfgdf.exe
2240	Cmlcbbcj.exe
3968	Cdfkolkf.exe
536	Cfdhkhjj.exe
4384	Cnkplejl.exe
3956	Cajlhqjp.exe
4712	Ceehho32.exe
2176	Chcddk32.exe
2492	Cjbpaf32.exe
2364	Cmqmma32.exe
2300	Cegdnopg.exe
4260	Ddjejl32.exe
2820	Dhfajjoj.exe
1332	Dopigd32.exe
4484	Danecp32.exe
1128	Dejacond.exe
2116	Dhhnpjmh.exe
4444	Dobfld32.exe
2600	Daqbip32.exe
2264	Ddonekbl.exe
3924	Dfnjafap.exe
2480	Dodbbdbb.exe
1328	Daconoae.exe
1148	Ddakjkqi.exe
1640	Dfpgffpm.exe
2420	Dogogcpo.exe
4004	Daekdooc.exe
968	Deagdn32.exe
1700	Dhocqigp.exe
4576	Dknpmdfc.exe
3436	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	bf29c1138345c8ae4157db75fd0358a0N.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Idnljnaa.dll	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lommhphi.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	bf29c1138345c8ae4157db75fd0358a0N.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3736	3436	WerFault.exe	150

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf29c1138345c8ae4157db75fd0358a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	bf29c1138345c8ae4157db75fd0358a0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 3164	4796	bf29c1138345c8ae4157db75fd0358a0N.exe	84
PID 4796 wrote to memory of 3164	4796	bf29c1138345c8ae4157db75fd0358a0N.exe	84
PID 4796 wrote to memory of 3164	4796	bf29c1138345c8ae4157db75fd0358a0N.exe	84
PID 3164 wrote to memory of 3132	3164	Andqdh32.exe	85
PID 3164 wrote to memory of 3132	3164	Andqdh32.exe	85
PID 3164 wrote to memory of 3132	3164	Andqdh32.exe	85
PID 3132 wrote to memory of 8	3132	Aabmqd32.exe	86
PID 3132 wrote to memory of 8	3132	Aabmqd32.exe	86
PID 3132 wrote to memory of 8	3132	Aabmqd32.exe	86
PID 8 wrote to memory of 3636	8	Acqimo32.exe	87
PID 8 wrote to memory of 3636	8	Acqimo32.exe	87
PID 8 wrote to memory of 3636	8	Acqimo32.exe	87
PID 3636 wrote to memory of 2384	3636	Afoeiklb.exe	88
PID 3636 wrote to memory of 2384	3636	Afoeiklb.exe	88
PID 3636 wrote to memory of 2384	3636	Afoeiklb.exe	88
PID 2384 wrote to memory of 620	2384	Aminee32.exe	89
PID 2384 wrote to memory of 620	2384	Aminee32.exe	89
PID 2384 wrote to memory of 620	2384	Aminee32.exe	89
PID 620 wrote to memory of 2132	620	Aepefb32.exe	90
PID 620 wrote to memory of 2132	620	Aepefb32.exe	90
PID 620 wrote to memory of 2132	620	Aepefb32.exe	90
PID 2132 wrote to memory of 1296	2132	Accfbokl.exe	91
PID 2132 wrote to memory of 1296	2132	Accfbokl.exe	91
PID 2132 wrote to memory of 1296	2132	Accfbokl.exe	91
PID 1296 wrote to memory of 1508	1296	Bjmnoi32.exe	93
PID 1296 wrote to memory of 1508	1296	Bjmnoi32.exe	93
PID 1296 wrote to memory of 1508	1296	Bjmnoi32.exe	93
PID 1508 wrote to memory of 1472	1508	Bnhjohkb.exe	94
PID 1508 wrote to memory of 1472	1508	Bnhjohkb.exe	94
PID 1508 wrote to memory of 1472	1508	Bnhjohkb.exe	94
PID 1472 wrote to memory of 2244	1472	Bebblb32.exe	95
PID 1472 wrote to memory of 2244	1472	Bebblb32.exe	95
PID 1472 wrote to memory of 2244	1472	Bebblb32.exe	95
PID 2244 wrote to memory of 4468	2244	Bganhm32.exe	96
PID 2244 wrote to memory of 4468	2244	Bganhm32.exe	96
PID 2244 wrote to memory of 4468	2244	Bganhm32.exe	96
PID 4468 wrote to memory of 1176	4468	Bjokdipf.exe	97
PID 4468 wrote to memory of 1176	4468	Bjokdipf.exe	97
PID 4468 wrote to memory of 1176	4468	Bjokdipf.exe	97
PID 1176 wrote to memory of 4272	1176	Bmngqdpj.exe	98
PID 1176 wrote to memory of 4272	1176	Bmngqdpj.exe	98
PID 1176 wrote to memory of 4272	1176	Bmngqdpj.exe	98
PID 4272 wrote to memory of 4736	4272	Beeoaapl.exe	99
PID 4272 wrote to memory of 4736	4272	Beeoaapl.exe	99
PID 4272 wrote to memory of 4736	4272	Beeoaapl.exe	99
PID 4736 wrote to memory of 4520	4736	Bffkij32.exe	100
PID 4736 wrote to memory of 4520	4736	Bffkij32.exe	100
PID 4736 wrote to memory of 4520	4736	Bffkij32.exe	100
PID 4520 wrote to memory of 4612	4520	Bjagjhnc.exe	102
PID 4520 wrote to memory of 4612	4520	Bjagjhnc.exe	102
PID 4520 wrote to memory of 4612	4520	Bjagjhnc.exe	102
PID 4612 wrote to memory of 3672	4612	Bmpcfdmg.exe	103
PID 4612 wrote to memory of 3672	4612	Bmpcfdmg.exe	103
PID 4612 wrote to memory of 3672	4612	Bmpcfdmg.exe	103
PID 3672 wrote to memory of 1356	3672	Beglgani.exe	104
PID 3672 wrote to memory of 1356	3672	Beglgani.exe	104
PID 3672 wrote to memory of 1356	3672	Beglgani.exe	104
PID 1356 wrote to memory of 948	1356	Bfhhoi32.exe	105
PID 1356 wrote to memory of 948	1356	Bfhhoi32.exe	105
PID 1356 wrote to memory of 948	1356	Bfhhoi32.exe	105
PID 948 wrote to memory of 2472	948	Bnpppgdj.exe	106
PID 948 wrote to memory of 2472	948	Bnpppgdj.exe	106
PID 948 wrote to memory of 2472	948	Bnpppgdj.exe	106
PID 2472 wrote to memory of 2652	2472	Banllbdn.exe	107

C:\Users\Admin\AppData\Local\Temp\bf29c1138345c8ae4157db75fd0358a0N.exe
"C:\Users\Admin\AppData\Local\Temp\bf29c1138345c8ae4157db75fd0358a0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\SysWOW64\Andqdh32.exe
  C:\Windows\system32\Andqdh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3164
- - C:\Windows\SysWOW64\Aabmqd32.exe
    C:\Windows\system32\Aabmqd32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3132
  - - C:\Windows\SysWOW64\Acqimo32.exe
      C:\Windows\system32\Acqimo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:8
    - - C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3636
      - C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1296
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4468
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1176
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2900
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4160
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3376
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4048
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4164
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2240
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3956
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2176
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2492
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4484
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3924
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4004
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        64⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 396
        65⤵
        Program crash
        
        PID:3736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3436 -ip 3436
1⤵
PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
64KB

MD5
f54284d87b450520227d90e6235608f8

SHA1
99d941ccfcaad8a6b5708b69ab1cbd8ffbdd5197

SHA256
6a01bad14962ab45c17034afa78a92e2c1ca607388ebef5914ff67875e59fba7

SHA512
f3fcc7f8f32f43e93ee6c49904908a12100f30b608b1e2f3003cfa7bdfc9243c8a12f2c9cc36b0a4eeb816fa171ee7a8af543591313b0bc91c19b36639331eb7

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
64KB

MD5
6a8c671ee18fe35324e99272561ce195

SHA1
1a507dcdd926d6b93e5eebbdb047e81d1baddb7f

SHA256
1fe6bb45f3f65cef9b1a96f1c6fa1e71613e248be1e5e293e2e9540bb5ff8945

SHA512
afde056f98bb749769c98092c5ef2523c6c50341e40dfa9f53fece37645d79aec01fe0164ba7df036489ab9be2acf958329f6b05957f2cd21db1699744bad103

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
aa62f99ad7e8bcc09c5eee7938dcf414

SHA1
99724c1fc9a3873013b21bba47a85b5edd2cbf36

SHA256
681b75fa7c507ba9256409f0666be76f7ced76b2744699a92f5642c06bc77391

SHA512
b169481418eed779dc3dfa0afe54a6a1720e6479214d9512755b80d20691805f7181ff1d49e591c8bc1ec115924fc6379b3d6c84c6e249750df0a6ff430e3f1e

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
64KB

MD5
c86a22870d36e0b264ab340c838d4cff

SHA1
42dd4e7a3449ccfc480c03451c0849e34fa3ad0c

SHA256
42f7a3780eb0b01e45a46310e853000ac2d0080356eddc4be8aeeed4441bea23

SHA512
e552a0008489b9c43d6eafc3d2a5adb192f6a79a209ac2942cba28634a32cf35b37c6b7a6d899c5a7f12a7f3f31a61eaf4c700cbe0d6ceaafe2dc8e6b5c8c4c3

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
64KB

MD5
39bfacb52680c2155220d28978de5a89

SHA1
78829e40488076538adaa4c730a929dc672d32a2

SHA256
2ae980d60765e87d26f20fcf8d7bbe739965e443c14feff7dad2c52a084dcc08

SHA512
1dced641f8d0356222928d0eb73280732a979949670b684b6200d7097f0d6d91ddf9b18b653dc99cc4d75dcdff06a417ef2925dcab95c83c368c1ee81e68a0d2

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
64KB

MD5
132ed6e729fd98a938a55d68facfc0c1

SHA1
b5fed11ab4dc85d86e6e346d7fdfd272d88df53e

SHA256
30431104637aeb00e666fbdb50c8d447cc9d0362e80d5709d72b073ed24dd603

SHA512
50743eb8508773904a58f223035e2056ddcea592bea0aabfd8bcc48c3ff185cfd908600316b891ab2d41380acc3ce8a58f29cd1c789269386931b650f660b81f

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
64KB

MD5
ea23cf4846c86bcb45d7336b29782993

SHA1
4e87a84f48ce14666eea2d4b7c9f63c90d0f69dc

SHA256
60dc38be404f15cac7b8b356cbb7c5056fa3b07d81f70c88243628cef9e37b62

SHA512
5f5d1c5e001ca091e3b8027f5df9dedc18ab2934adea4d1c8608d80c2df48714ea1e47d66e79fea90396808ac0654e668c94ba8320c763b502e01d60387f268d

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
64KB

MD5
f198eba661640508115fa93d94fe1ff2

SHA1
1884e8dc7329586e542b355e6e985bbaa775f821

SHA256
16184806cd5522107db0bf3096beb0ffb63280dab380569b5915a6f94b0cbed1

SHA512
de283ed88d95d578cc49482fb46e40615f04cb75132942be2384574085668d8e00ae76da16cbdb4a5101e25fc7073e82be61c77c429adf5e5297d429d36eabe0

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
64KB

MD5
be6c7b3fbcedf8c459de7c203e4a630a

SHA1
71b36234d72827028c3aead819ea1925141782ac

SHA256
1dc8ba61facab9330cfddd98d13a29778735c373748cc44ecc7bbd0e20a0dc0e

SHA512
a08e21b4b69adce9d81c242a44475f6f8a6713d81f6d393418a9c839dbb4f24a482ff819083dd3f9cc5895781327ed842e041039f76d150586712c1d37ce2741

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
64KB

MD5
10d9e45d56630ce1f5acb7c775583449

SHA1
dd9deef9a2be12ec8a06f99841baa0590e335315

SHA256
8756bd5f762aa3f3a4ca68ff8c962d01d8e5ea70cd4f4656ab65b6c78d005db4

SHA512
bb57bdbd70ff1e70cc0e091a5d9fa3c58f29196c0c2e9484e60cadab6375fea3f69390dbedb9b810761f32d941b1f5969627be6fce1b3ff6438854d38560f3a1

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
64KB

MD5
0222f9cab4ca371eb2c37850be354db1

SHA1
2c5ab2f6510fd7c46b405a0031527c7dee34aa45

SHA256
c90f5a9b4b8a12ced79036a7b468b2bd4cc2b2c34aca77fd8acfe5dab658dac1

SHA512
4a158697beb60c22036755f495352cb96ceb3b11b2e0f4e43ed97baf83885787d066c79ff7abb5f31f5b38a4e87e30a7874045392cc00b9dd939b98e8bee3a15

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
64KB

MD5
5072767c69386e5e36845e2209fee060

SHA1
0df7536e025823d8bc098155ce00629342096e8b

SHA256
0fae84455fc18f9333f8d93849ac87adcd2606ce5aacc293915cf2a18b06d20b

SHA512
cec031888d9017ce29b0678eded4086261198e46ed1ee4f10d8a3ed5b98f64132bcd4b81f01c5eb886ff955481145ed2a90486bc6a00cdb68433e7e9e8d7636c

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
64KB

MD5
098bc163eaceb0114995aeef24b33bfa

SHA1
4ccd3e07a15a1978b7e3222dbdde442b03917f4c

SHA256
a1a3cb40788b59a44123aa5cf946603b877531b55626f668c3a3a93564d4b53c

SHA512
d234b22791c1f8c543ea41da86816bcfcadb0d98794eb476284d1fea5dcf250f1814ef54c1cfc97e911acefce6f44c4708afa5194916053961a53e6534fc17b8

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
64KB

MD5
e59e6b8e2173dc2970f0baa34a8c8e29

SHA1
9ecd22106f73c822f7573d28412a91c60d5a8761

SHA256
4c9a468f909a7b29ad8d496a4e3e48a846e101feed98e70312bf4cde8b348702

SHA512
ba682045d35d33905189d8997f1352adac34122ecb5f583e105dd3802960c1337c83c7f99327535f789c7c9ae8fff39ab6740ec5faaa33ddfecb3a8bf6f0bfc2

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
64KB

MD5
8eb36ce28f0f15376c9f39c50c0cbf5d

SHA1
c4a5ae7572460881e872985acba3af3bc36a209e

SHA256
a74f856c947e136e825360d9c868869f157adc28b6fa10d292d50021dab5bfc2

SHA512
abab9472e13785bca3b504f2a5e25cc63e6fe215aa9b3a5a18674bc31d046bc9f7de39db6b7efbd152cedc4b870ee68b5d3da95aaed948e61e325247dbebe079

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
64KB

MD5
6bab81daf9c8dcb40805b25712d09f03

SHA1
50b7767c420d50de7d6b6d67a214719742e633e5

SHA256
f61e65a2ae03f1004a37dda25f4531a1ba69a633c37551e2401b7871a114587c

SHA512
af27e261062e58111a91d4d73e63d59cfceaddfe643e436269e419cd2221db56c1bbd27f26a3738b90732796de9ede3f99595c5227de8eb7abc62299569b6d5b

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
64KB

MD5
5c598e5520d70e4192428f5d80293d05

SHA1
111a36f9834b79b398822349548b2cdce6a0bdf1

SHA256
5409680fc43bbb84653290310ecb05c7b4afb0ed7a60308db54e3f382f7dc928

SHA512
85c4a7b3c4ac2a86308f5290ede24e84d08caced387ecf9d1b271a9c9b64fe4ca9644d6e32ca83afdad8d8457a307d690ee8b6e99a741d296112c2a7c46ff4e7

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
64KB

MD5
68caad0b950c641cc7bc721ca00c397c

SHA1
348b60d9eb736c17bebf880fa6ce67eddf9c2c48

SHA256
94251f1e8b87325abab08da7399ca957fd8d1aa0db718855724217f9cd352706

SHA512
285793420bcd92490970cf77b878f6bf11f1ef7e4a8bb8a44bfc0027b5b76d24d431466de933a16d9c47964b88461c86218f9867186d38be1f4f58f655aad48b

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
64KB

MD5
b873cceaee72b2621a6f80c821f1dbed

SHA1
5271cf2415ec0ef0ebc6b26265a7a983e4dd5f14

SHA256
0fae968d8e3a83863e8b3d87145f07ff20a0c90edc5ce41721de3fc981c6dd9b

SHA512
ba3336275facdf962c4149aef303ec8c3a1c2081561ef860756dc5f7e6f43292c369e533363c52bc1e87f30a431ded3d18e8b6a89bff1e0c0a0d4a36b3002806

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
3436c34aaf97add97c8390cc48bda303

SHA1
b31166ff16b858e8bb2e93f285e2d987910661f7

SHA256
70c06391a1c4c9cfc50a7ec325e31eafd4b2be42bd1190acc5f5573cf7f81e36

SHA512
17d94b29fe7473a86182ccc75c9102ce85f285accb62d7367900cb8d47d751e7b403cbb54648816e592f383a606bcc363ee90341806f78db247befcf264d4975

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
64KB

MD5
6df3e695104e030014dcd857f8edaaed

SHA1
97c1b72a9bca1e97e5a6f73ce739c51db136f4a6

SHA256
944ae1c90384c977e33184378998bc572a3c3d36a1411fbbf44b838dcc467c6f

SHA512
e1eaae07f85e3a67459b0ccaf4caa319f5159f9b87d618561a5fc344617ceca22f8cac57486929e991448f4eed24fcbee7441c1f3fe4bd72ed1a4b27e37dabb9

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
64KB

MD5
91f400508fb737187ea38c77e029e9e0

SHA1
cdbcd57dde17e9eed6fc9975bfd021e8f2bcb69e

SHA256
c0fb4d721e75d3d6981b34594faf94c010808cf2a839939649ce91313e0e2f75

SHA512
cce12ba0282f3c3af3d0a9a99a4aeec38a2b7c733db898a38e1071f165f70b954fa8cb6c9c5dff5190729083c4e718834e012ac2e443417744c2e7d7b2b3cfc5

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
64KB

MD5
f94517db9f3b55b0ef1ad23b3e83536e

SHA1
171dabab0982afae6d2b56f10801bdbebe30545c

SHA256
76239bad9ee5db19d3a577001c7f57d6a38a8f4b5c7e74be9557ef46ad67ae3f

SHA512
a189af76f8911098fca29ae045cb2314a41fda93b321560d37037a2a033557c958bece05a6a34f7d5de62a659485c927b1ca8b21cf31258fa057e1976eba908e

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
64KB

MD5
59b37671d105ff5e2e5dd90f878e523c

SHA1
b85de1e08e795b791df14d3cbd2d37e183e28e90

SHA256
d5b6303d42cb48320897e9433c5ccdc6e196b8617c07afb777fed78b62bbeca2

SHA512
0c3c50c8d31002c8082c2276c55aefbb0b301dff6a91e2077fc5767b33c71284c7b7299fb039d12b2332b89ad5ea315dbbc273344c693afc0937388e2eb44ff4

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
64KB

MD5
412862419bfe1fca798cb45dad254445

SHA1
a370d737dd542c1803c0aab88dd970d5d821aa7d

SHA256
0784da82644e040c96383741958a45acf8d9988f05da0a78b8441d235e8812bd

SHA512
42041f047aefadd02663cad55a33d9c30a337bd42d537bc01c27e3b8ecc1db1da308d24a687e89e6873005b1be4eff4ff750b59d87dc011c0e7be67a46bfeb40

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
64KB

MD5
996fe5277829f353161e1fa784543679

SHA1
859608b05c4452a72deabbb07eb6827266a58143

SHA256
f95867f23ccbe25012f279251afa8879699da23227cf8b71765e2b3053618074

SHA512
4c614f840051d01ae95c401a313e5d71191c0a930f27d7128c06b445dcf5f289ec3030527d1591ee7bc0a5cccf25400583ba60fa1471ce6cf1eff8fc23e97cc8

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
64KB

MD5
054d1589cbb46482046c88c0a621fdca

SHA1
a4d3cd1ed7c0c4076475092c958574fc2269cf9a

SHA256
06616c9fcb0e26a0a8edfa9cda2dc13d98e2ba9a272b173c825b5ac84b668d70

SHA512
a4ba4136f25e3951bf8edaf1c2d7eeb4596f9535926c79a597fbe81ab7fc8435c1fc7056dabbfb0df3541106929e0d8c2165450171927641bdb7b5b56f7d969f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
64KB

MD5
928c3d8ec01c25021961ffaa2b999591

SHA1
f3c4598841323baac1eafa970328788eb8b13e1b

SHA256
54680e74bba40d8e3812b98fe36bd4284c56357cc1372f81d77031d722af7a65

SHA512
53913ae7c0c1f7ed6513f9b7517af72bcdcf382339f25ac488832f0a53e017d7ba5ef173db929549bd28b66c2216e98127517d5537c53e8c50b7bc4836610071

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
64KB

MD5
3280fa13a1e238b664dd540e3eea1935

SHA1
08eb68422886a1fc427fe03021e2c57d1a6d8668

SHA256
a53885fc2631d38a45e446eab0c0baf4270e8da587ae0d2d6e220dace4934af4

SHA512
6842eee4ac4a4d3c6b8d02a61f9f9f7f0c517574cfe98f0c93b762b81bee6638999e8638f3ed5a84f94bd80d16a7b010cf94d33c8263f14d039e8c3da3f4de94

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
64KB

MD5
e61e5a96c1ba6eb11145b117e93643a0

SHA1
b6365464981637e7c674314e219172584e40ea97

SHA256
11ddbd7e70e5a1038c8be737456d46ba1c0f9f32df4062cb7eb7e9e68e60927f

SHA512
0b8f373fe5a9f65903f58eb365c3d0079231e50ae0943b4f20c76a509dbbf79446a8a19e854a8249939b54873787a63604fa9c7a107f44c7903c63bc65ef0ee5

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
64KB

MD5
8b6e2d92b29a2ad5f27f99b316c4a875

SHA1
bed3c80daddf9ee993d8561aca11983f53e4895f

SHA256
eb00f6ab1e28a892d8e889b0780f40744bd7652e7e06396bff60130e21c6b459

SHA512
5d06415220f7b8d01a16852dfbc6f896aa711ef536103593cd3d9d3557054b78505724e67a2855c48b94e6447861e1739361b25defb541491bf6e99bd14c71aa

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
64KB

MD5
2c67096c451b178529945d0154e82750

SHA1
a22d1b7f36b9123c4c28f512612416f04f6413e2

SHA256
e6189bfa817635216d26e910e04942a3f9451b759b964ed2fd5371bbc9001e15

SHA512
cebdd740dc4ae7b6053e1db5d5eefa6eb7d0ac7165daa17a4003594c1dd4280478d0d3acf90ece9d5bcffc277820085f987a254ef47c00175de090a010d553bf

Download Submit
C:\Windows\SysWOW64\Dhhnpjmh.exe

Filesize
64KB

MD5
7a66e6543622a875262a91c4e5e39ade

SHA1
55a2d0037f413a049f66928bdf6a989a8e9cb844

SHA256
3abd2b62d3196e651a0acf977edadc6091bf8ef799c21f2f8d8774d67a3f5e89

SHA512
5e14df9e1efa52f7fa8d6828cca66546f582a251f83e96cb8540131ac6a71d615eb8e9bab93ed238bc69838c5f81dfcfe6031b7d1e7ab1d3234877c80680508c

Download Submit
memory/8-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/440-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/536-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/620-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/948-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1128-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1176-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1296-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1328-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-478-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1332-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1356-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1472-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1508-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1700-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-472-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2132-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2240-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2244-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-327-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2364-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2420-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2472-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2492-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2652-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-480-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2900-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3132-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3164-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3376-508-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3436-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3488-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3924-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3956-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3968-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4004-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4048-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-510-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4160-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-267-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4260-333-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4272-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4308-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4384-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4444-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4452-217-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4484-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4520-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4576-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-241-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4612-137-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4712-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4736-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads