21f965ffca824cd209b411c5365dd5bcf03a29d23b9db0132f09045c08474db3

Analysis

max time kernel
104s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

87d3c4716201c40f0256bc9dcbfc79d0N.exe
Size

78KB
MD5

87d3c4716201c40f0256bc9dcbfc79d0
SHA1

ab63951038dc002cb2c36480354b2ab049a4d863
SHA256

21f965ffca824cd209b411c5365dd5bcf03a29d23b9db0132f09045c08474db3
SHA512

a48de41bd4db5897ed2ddd256c611cbed60780d86e81e9fa47bfb4d96d9fbf8c988097ca00f6ce8f1e4be25e1cef74d682d51a9bd40ad9f3dd56696bc63061a8
SSDEEP

1536:l8SDcK0h2NBqrx5CywnX9Q2Zkd8T8fwLaiiVkN+zL20gJi1ie:l8I7S2AxsFNQ2Od8TywLaiiVkgzL20Ww

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe

Executes dropped EXE 64 IoCs

pid	Process
2748	Qfcfml32.exe
2316	Qnjnnj32.exe
4476	Qddfkd32.exe
2492	Qgcbgo32.exe
2124	Anmjcieo.exe
4224	Aqkgpedc.exe
4832	Ageolo32.exe
3720	Anogiicl.exe
4240	Aqncedbp.exe
4296	Aclpap32.exe
4024	Afjlnk32.exe
776	Amddjegd.exe
1864	Acnlgp32.exe
3752	Ajhddjfn.exe
4440	Aabmqd32.exe
4732	Acqimo32.exe
3008	Anfmjhmd.exe
4392	Aepefb32.exe
2804	Bjmnoi32.exe
2028	Bagflcje.exe
628	Bganhm32.exe
552	Baicac32.exe
4948	Bgcknmop.exe
3172	Bjagjhnc.exe
1084	Balpgb32.exe
1516	Bgehcmmm.exe
2468	Bnpppgdj.exe
4196	Beihma32.exe
4300	Bhhdil32.exe
2932	Bnbmefbg.exe
2108	Chjaol32.exe
2224	Cfmajipb.exe
3948	Cndikf32.exe
3208	Cabfga32.exe
3460	Cenahpha.exe
1672	Cnffqf32.exe
3472	Caebma32.exe
1244	Chokikeb.exe
2888	Cjmgfgdf.exe
3672	Cmlcbbcj.exe
1876	Cdfkolkf.exe
1176	Chagok32.exe
3004	Cnkplejl.exe
4512	Cmnpgb32.exe
3968	Ceehho32.exe
2412	Cjbpaf32.exe
2396	Cmqmma32.exe
1252	Cegdnopg.exe
1284	Dfiafg32.exe
2796	Djdmffnn.exe
2940	Dejacond.exe
3668	Djgjlelk.exe
1320	Dmefhako.exe
4436	Delnin32.exe
2904	Dhkjej32.exe
1152	Dfnjafap.exe
2544	Dodbbdbb.exe
4580	Deokon32.exe
4880	Dhmgki32.exe
1632	Dkkcge32.exe
1996	Dmjocp32.exe
1912	Deagdn32.exe
1656	Dhocqigp.exe
3348	Dknpmdfc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qnjnnj32.exe	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	Qnjnnj32.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bganhm32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Cmnpgb32.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cdfkolkf.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	87d3c4716201c40f0256bc9dcbfc79d0N.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
208	2336	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	87d3c4716201c40f0256bc9dcbfc79d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qnjnnj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2748	1144	87d3c4716201c40f0256bc9dcbfc79d0N.exe	84
PID 1144 wrote to memory of 2748	1144	87d3c4716201c40f0256bc9dcbfc79d0N.exe	84
PID 1144 wrote to memory of 2748	1144	87d3c4716201c40f0256bc9dcbfc79d0N.exe	84
PID 2748 wrote to memory of 2316	2748	Qfcfml32.exe	85
PID 2748 wrote to memory of 2316	2748	Qfcfml32.exe	85
PID 2748 wrote to memory of 2316	2748	Qfcfml32.exe	85
PID 2316 wrote to memory of 4476	2316	Qnjnnj32.exe	86
PID 2316 wrote to memory of 4476	2316	Qnjnnj32.exe	86
PID 2316 wrote to memory of 4476	2316	Qnjnnj32.exe	86
PID 4476 wrote to memory of 2492	4476	Qddfkd32.exe	87
PID 4476 wrote to memory of 2492	4476	Qddfkd32.exe	87
PID 4476 wrote to memory of 2492	4476	Qddfkd32.exe	87
PID 2492 wrote to memory of 2124	2492	Qgcbgo32.exe	88
PID 2492 wrote to memory of 2124	2492	Qgcbgo32.exe	88
PID 2492 wrote to memory of 2124	2492	Qgcbgo32.exe	88
PID 2124 wrote to memory of 4224	2124	Anmjcieo.exe	89
PID 2124 wrote to memory of 4224	2124	Anmjcieo.exe	89
PID 2124 wrote to memory of 4224	2124	Anmjcieo.exe	89
PID 4224 wrote to memory of 4832	4224	Aqkgpedc.exe	90
PID 4224 wrote to memory of 4832	4224	Aqkgpedc.exe	90
PID 4224 wrote to memory of 4832	4224	Aqkgpedc.exe	90
PID 4832 wrote to memory of 3720	4832	Ageolo32.exe	91
PID 4832 wrote to memory of 3720	4832	Ageolo32.exe	91
PID 4832 wrote to memory of 3720	4832	Ageolo32.exe	91
PID 3720 wrote to memory of 4240	3720	Anogiicl.exe	92
PID 3720 wrote to memory of 4240	3720	Anogiicl.exe	92
PID 3720 wrote to memory of 4240	3720	Anogiicl.exe	92
PID 4240 wrote to memory of 4296	4240	Aqncedbp.exe	93
PID 4240 wrote to memory of 4296	4240	Aqncedbp.exe	93
PID 4240 wrote to memory of 4296	4240	Aqncedbp.exe	93
PID 4296 wrote to memory of 4024	4296	Aclpap32.exe	94
PID 4296 wrote to memory of 4024	4296	Aclpap32.exe	94
PID 4296 wrote to memory of 4024	4296	Aclpap32.exe	94
PID 4024 wrote to memory of 776	4024	Afjlnk32.exe	95
PID 4024 wrote to memory of 776	4024	Afjlnk32.exe	95
PID 4024 wrote to memory of 776	4024	Afjlnk32.exe	95
PID 776 wrote to memory of 1864	776	Amddjegd.exe	96
PID 776 wrote to memory of 1864	776	Amddjegd.exe	96
PID 776 wrote to memory of 1864	776	Amddjegd.exe	96
PID 1864 wrote to memory of 3752	1864	Acnlgp32.exe	97
PID 1864 wrote to memory of 3752	1864	Acnlgp32.exe	97
PID 1864 wrote to memory of 3752	1864	Acnlgp32.exe	97
PID 3752 wrote to memory of 4440	3752	Ajhddjfn.exe	98
PID 3752 wrote to memory of 4440	3752	Ajhddjfn.exe	98
PID 3752 wrote to memory of 4440	3752	Ajhddjfn.exe	98
PID 4440 wrote to memory of 4732	4440	Aabmqd32.exe	100
PID 4440 wrote to memory of 4732	4440	Aabmqd32.exe	100
PID 4440 wrote to memory of 4732	4440	Aabmqd32.exe	100
PID 4732 wrote to memory of 3008	4732	Acqimo32.exe	101
PID 4732 wrote to memory of 3008	4732	Acqimo32.exe	101
PID 4732 wrote to memory of 3008	4732	Acqimo32.exe	101
PID 3008 wrote to memory of 4392	3008	Anfmjhmd.exe	102
PID 3008 wrote to memory of 4392	3008	Anfmjhmd.exe	102
PID 3008 wrote to memory of 4392	3008	Anfmjhmd.exe	102
PID 4392 wrote to memory of 2804	4392	Aepefb32.exe	104
PID 4392 wrote to memory of 2804	4392	Aepefb32.exe	104
PID 4392 wrote to memory of 2804	4392	Aepefb32.exe	104
PID 2804 wrote to memory of 2028	2804	Bjmnoi32.exe	105
PID 2804 wrote to memory of 2028	2804	Bjmnoi32.exe	105
PID 2804 wrote to memory of 2028	2804	Bjmnoi32.exe	105
PID 2028 wrote to memory of 628	2028	Bagflcje.exe	106
PID 2028 wrote to memory of 628	2028	Bagflcje.exe	106
PID 2028 wrote to memory of 628	2028	Bagflcje.exe	106
PID 628 wrote to memory of 552	628	Bganhm32.exe	108

C:\Users\Admin\AppData\Local\Temp\87d3c4716201c40f0256bc9dcbfc79d0N.exe
"C:\Users\Admin\AppData\Local\Temp\87d3c4716201c40f0256bc9dcbfc79d0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\Qnjnnj32.exe
    C:\Windows\system32\Qnjnnj32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\SysWOW64\Qddfkd32.exe
      C:\Windows\system32\Qddfkd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4476
    - - C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3720
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4240
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:552
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1084
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4196
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2224
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3460
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3472
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3672
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1876
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3968
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2904
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1152
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3348
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 396
        67⤵
        Program crash
        
        PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2336 -ip 2336
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
78KB

MD5
b37ef72e23b90b0c0dfa09ff946c386b

SHA1
35550be3936586dae43e27eb54e159bbbf8c79c6

SHA256
4f0d537a02189254c94eb98227c49b8be074da08b49013d24db0d644124db2a4

SHA512
36b9c24d98ebd46758d825a17f467a939cc6d7187d1ba4640d4c3bdfc51acb7bcfdc5431ec8af8a4b5dd44201b65716eaa859c0bc344d1282d6e9cecf6345264

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
78KB

MD5
6bee8119cba0d47cd2e143069e40d8ce

SHA1
e0c24c3a0680ed928138db56c2360a03f3a0a751

SHA256
87e0b6a1f6d294d1e1a5f4c248e6c1975613c2670082b8f9b97684276f3cb837

SHA512
496ea6985dfd5fdba780cefa2b190cdcde944d1b4a02c53d15535af20c48b205bd3a4e512d21561475ef87770250e7f68bad1fd25b19259e50f4bdb59bd89357

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
78KB

MD5
6fa3c241dd15f84f21f6125dd52659bd

SHA1
c3a6c473559b5cc1e579dfd0f934c3fc9c930b0c

SHA256
441a854b46a6b253c311a9e38f92bc4ff06734bc0e90c47ca8952b0cf021166a

SHA512
14bd551b2c511f88d4efe69e31d8865e598e8389d0b471f6b3571920cf05f9914f32b3d3cac5d09bf1a890af5603e4bc190b43559a6a7e27c2ebb9a6c67fd3c7

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
78KB

MD5
b92da63109cd20e7df957ae03706d7ea

SHA1
0b16e8c12707342e835a356a637e669dceca79fc

SHA256
32d8b7422c1bbaa01321c8c45173605fd42e04f1268f015ec8d4cf74fc65a402

SHA512
6dc24045d7199323459583f3c8e18f681634d0bba3b47fb9966c70bc8a36c57d6a4242d9164cae1939b0f5d20bf04356e03c7a78d9e0fe3f2f60f74c183ccda1

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
78KB

MD5
f0be5095d379954b8e04f3f73e12ff46

SHA1
c309a91811871713566a7c874ded14b1f474ed4e

SHA256
d4274133a99beb76fc2135c151d01f0f3f0f63a0d1209f2e49dadb1215385849

SHA512
e8e2feb6a81e82fa5592b56bd182af16297bda16b6efcb688b65ba4b2dfd179a6dc1b1eed29ab197867f9e262368cc1ddd26d6ab319057ce28011f23be01e276

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
78KB

MD5
7682bf50fdc240281b1d3a1de4e0b9c7

SHA1
581c7d1750d5f438ba08770bb787748cb8797d24

SHA256
2277cc4ae505058d63f512e4c503ce34061f2c13865cbd3e1eea0528809fe142

SHA512
0407cc59a3c31ebf2d3b9990e7ff148d51f6c9542e4f038fdcc1e1d36186fd74d49da1d23641ef28d138b53dfe853ccaadec173de852bc4bc8a8b1f8ca5f12b0

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
78KB

MD5
3210ccfc0a49875dac075ce1c9ccbb9d

SHA1
1f9edd885191b9bf53215a1c480dc5ceeb6a0dd6

SHA256
8294834965679503e6f598c46495acfc84ae36319013a137bd35bf9bd1a1b16f

SHA512
b3c7b84998eafb98402f1d1ab013a97c601b197fdd2033fe54d111c5167c6e130f7422a482a954d98204a0b041fc80ee7abe967bc9def327fec1191b8cef8f02

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
78KB

MD5
7fa1511fe3a443411132de4cc2e24bf5

SHA1
54793f17f006ff2cbba95461f6887a5e11cc5739

SHA256
e7adedb4e1d7584f3b1cdd2d0a69beab1350ca67847612abaf3d39033a7ab1e1

SHA512
b6fa20454b7ed9d8d05477b0ce7467bb3073a90303865ba696d1703dd246dfd9126f0ae2f98e161b5a48cdd2dfc82a75e4d0dd7b7484eedf1ee1756719bbe972

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
78KB

MD5
64a0044624d87d7ce69b5b2bff5a8beb

SHA1
2b545d3a331c1891c053ba26e11e1466ae1b59d3

SHA256
889f727cbcd05b812c9d4bc9c220644d3ceee580559f27a9a7c1e845529933ca

SHA512
36ca8e6d61e8b1ec04fe86fb4d94153495f8608ae472d875ef621bb2c325819542d95ca1c14fdc4bbcd504c45604916be20c826143a2479bf44ff7d6e76a5f01

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
78KB

MD5
cb1de4e048e38b6b9396dc89415dc32a

SHA1
a76868375ee9b85bd649ffacbcde757b3fdab03d

SHA256
1b542c17d125ec4af7ee3587e95bbeb025e042fdd93fa9d90d9e1772b6a3ae10

SHA512
211003ad528dbfc60104baaf98620dee5b92b428765dc263e5026fe102b71faab65339f548b41298076dcebcb1bbdb2127955dd4db238c4e07a689323c9c3f0d

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
78KB

MD5
3bda1e07f38e1c28501f2050747286a1

SHA1
141b3a23e8fd86f7232ff1a7c856637a5ae70113

SHA256
e4afd9abbcbbc072000e8d4bb818c3e964b91b258425203a066c3a5f81200ed3

SHA512
66e9afe8fdc8fee6032410f256b25243eaa17c018e7af5052f2c5a5d56f3e56d81de8299fbf94f942b7c057a58c7ebaa52420f9f440c7ed3bc37b36d3cf5dbbe

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
78KB

MD5
2997560405540960c0d63f3da85c65d5

SHA1
b08b01e7b15e719d1416d19aa825e2b3b03994c8

SHA256
e7302cdd7d12acd192b2c8f05c8fc64f8c321a6b234af2b86a950c6c207d5cab

SHA512
39896a20651c42dbbcf2d53a1f76085209509fd83e9e23b5a0405752b8b4bd5165c78c64e90b2173d71afcdc114c613fb0b39a493556f07fc75c7eaf1c822b01

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
78KB

MD5
ccd874c6f1da52f0ec1e1361ffefc07d

SHA1
de918b473ddee0e1a9f15b5552788d64213628f0

SHA256
3a0da511ef634db0b254cca696c9d1714b1acbefcbf98ba213e90725e7deb71d

SHA512
8169066d2d49f019fcfd03d59556693a7e84bc4cf50fe52cc1ab3c607035f02c0caa13981b19bf9b96ab824e00653d36f9186b540a025ffa72117556e4d2882f

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
64KB

MD5
876b2a9a0133ade18e5c38ada62f4a61

SHA1
ac24846f39e80e902d7f452f7c6c2d7871663b89

SHA256
507f26cfca6c6ff75b5b6a19b81fc232c82caf2aa0b5bb20b70ad4dea58f460a

SHA512
6d73066279f0dd294ac59ec46e1fb39c55432787eabe6baac7582c387c9791ef2042e473d1879d20351bc3f8d13d0dddea6fd84b96cd4564401abfe77337d392

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
78KB

MD5
e7a595d063b30b7b9de41471722a5207

SHA1
f36e5d9db0b7e179072c13aabe053b31d3366799

SHA256
763a45fa0c86516c7c3fe0066eb157cc3bfd68abdc66d816aeb140f8ccc12f2c

SHA512
94e060a29a7da5a6d991ddbbb046a823afc8ee127786664c311ad9e1f3c67a038e7f6771e7a6f324417a14a0ad65c59a17e2cfad8c8c19172c1e32fdcd61fe5e

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
78KB

MD5
a7cfc50ca431a228ce8ed15523d775d9

SHA1
a26b90f50c831fe1e597e7f2deb20be86972caaa

SHA256
50ee3617b4547d887fba0eb5d96dee17455577f9942ff317aaa40ccfb42da3bc

SHA512
cdd1d09d67a27a6a091a9a29cc550427f9374374fe328103ced1c562081c4ad34be8ba22cd060c2cee29a324855f1c3950907465eb6aba7159c3c86e5eb9729a

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
78KB

MD5
e27ede99a75841c4a76724cf24482ead

SHA1
63789bcdaa737825fbaae57358d1e2a016c7edeb

SHA256
1eea5b0307447cd2f78d8c956a842667da342c27eda1c8a35cd6c37e8eee3048

SHA512
aab4e4862aadf5c6983a2f99288959b4108350d1262753425a944ba6710f431b89d2dfd83bc181160baeefc06259acf135fc952ce966443ef94c1fdaf672fc6e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
78KB

MD5
8daaba3ae45cbec7f712b5deb70f0e5e

SHA1
2133ecfe3cb89ce076effeff7dce3030ca62ca29

SHA256
65800ce0c78b52ff696f3eca99667d3186c52cd4de0d14b89051262d6941a4c1

SHA512
2baf24110b52b275b5500fa64d8f744865d3c408e2bd0e0c222da1d65ade32c2e504572398ec08b198e51619457764d50f27a8f32bb267a9c53dc77858c30462

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
78KB

MD5
9b80f0efeee451884fe47641bc0a0196

SHA1
0e054de6c81abe78376ed3e07cf41fcc1ca19f27

SHA256
404b44b78958af99b8104352b905522116ce2ca25fabaa7c9b612ae332408311

SHA512
4a0f552b294641db47ed5686f999290955f4e46d7a707f889b6b6b6473d1f75902ec6f1702b161cfab782d12ceea9da75e8746c77c6f4c95b62daf3679d9ae8a

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
78KB

MD5
55ffb54063064238fa017cbadb7f184b

SHA1
f13c3bd05f655c7afba18d5d9fa8e9a7009f488e

SHA256
c341bf7aaec38f685a84deb39a64f2665c474b1b013f86c9b6ccc980eb3f3bcd

SHA512
d762aad7feaa013d24f62453d4baec8bbb6245c4c1350cc176f15b9b6ac330baf0fc63adb2bd7cf44cb534073e5b8184ac13180658989b12b6b3694c1bee8b09

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
78KB

MD5
11f0dca143b93116932b3e1efafa546c

SHA1
fe572b8a0c09d1e67c7ee861ed72849a2ce767a9

SHA256
0ead493e202b46da2726e9a0f9db8fe8ead220bea9184946c9c0b6ecfb225e3f

SHA512
71892a543efb072787adc109822664582bffd97460b4d25322be5a160216b1ffad55e92a9160e5a1278f3a12b2adf80434cf3921e0e417d4e0c09dcd5921e77e

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
78KB

MD5
941a514c0eae187fff154dd3e90907fc

SHA1
a138b6ba2fadeb2e64a1f164e7f3aa8efcb461c5

SHA256
6d55ab73834386d687f9a416012a208733cdd26c2bd5c47c2b138d02b699c6c6

SHA512
276be7db938c8bb6020e48643bf4850bcdaf173dd633ef854299735cb80a00d662dbf6f0d652f0479bada74d531b24b15140f6246106afe1e05d8f45e119f75a

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
78KB

MD5
b41d055d9accd12f9171225984b26edb

SHA1
f0ca07a54f8bb261522f80c7189f8802eab75cdd

SHA256
89b79fb4189ab79fdd2cd95de3551f32fa122e536286306699885a8c7aac41c0

SHA512
08aff25b6d072a965c0c642fccd2c127d558f379048cd4b7164e87600a60f5fb496407187be7388b405365869e00c4117396fcc8112e94c1fd3f5a59cae7621a

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
78KB

MD5
5b72a3ef91c286914732ac4a404c6187

SHA1
610776af8e5afedfbcfb30d495187c53a99f92d6

SHA256
6d15f3588f46ed3f8b920614977bb750c9f08bae80fddc719e47f4e0a38b26b8

SHA512
fccf91e41d7e6369cab413b341210ac81414c04177af04b871f1477eee65bb7f3eecf6857d878ab66e1e68106a6c71637119974cd150e0f71ec10307525ad949

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
78KB

MD5
bde52f19b3838f41b14c2de2167bf89f

SHA1
8401aa5f364359dbf6c12ad58bc757133e0588ae

SHA256
daab0d49e7ff004b80c2c2309a912c035bb638549d5f39172260ff89f85335e2

SHA512
8258f38e870023785c635d29f774ea2a12d49ca774a65a8d6db08cc6d35ceeec5e8c023fbeb6cfb48e59225624b2967edf994c9a860765ddab1865a93216393c

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
78KB

MD5
2d4b5eaf0be64e2721fa1571857c623f

SHA1
705d8af74d89b9c03f7a193467dad7bdddaa5fed

SHA256
c99ce138368a725f00cf86615d6305671d23a1298eb184f226b4cfb21a0f4faa

SHA512
c8058f6bff19cdbcf4130a9de3deba8389c58495118f3ff531645bf283641f2bca17c2239adc7aa3ac52905a6552cfe194e132d517d8235baa30aa8cc73da614

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
78KB

MD5
7e88b0ae3331ea2778c0963f62d0cc9a

SHA1
727eb8005c74bca6c64232a46055f6d67b197169

SHA256
2d36126bcafa3e3db7f954a979acb6a4548d3128ef9a4619ac8b7fbfa2996546

SHA512
45e72b14390031898ef1be0e0b78609a5af916ca060d4b6ffe0001f6bd9b61b3b9c9d7d0a8984f9a0b4b702a6d734b1f3c83b2e61acca6ab88288c1ad89b4f8f

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
78KB

MD5
71ed4a13652d5b032a1714d78a5ac09c

SHA1
6adc5f23c2ee090ccecd0926a2726edb4044fc9c

SHA256
9a66f9a7c8fe25a582984c46a0d5565472662b00aa0d511deda710be4039aae9

SHA512
0609dba634053d1ff52893530acdfd48c42b2bb328e716ca41ddeb8b037c0c04b95688935d01e8fa88c44647b478cb43c8ab36e724a22313578a8436e8faf83e

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
78KB

MD5
04aec54045864413f3e6f668cd51e64a

SHA1
d998c9efe175b72175e9ae033a344c37f8624064

SHA256
b173f80fe350204da41612eaf9b439d24a1afcb6346ceabf5d761e2972f4e082

SHA512
d349beac0dd46c14748a56bdad053c76b9b1135d0ca1a6ac3760bbe4eef46555d5788b4945a87ce0ee1d35d8d8b8f51df0da9023f45737ffc290d48660cc2851

Download Submit
C:\Windows\SysWOW64\Dmjocp32.exe

Filesize
78KB

MD5
4d268398db0ee1f135e232c1ec23c32d

SHA1
cb391042347af19903b0520d3356db9e86bee3e5

SHA256
486d090eca640b8dcec2a161dd4aa96b0b3757415d021fa9cf85e5fa4ed08e1b

SHA512
ad93f247626d3c5d277844934a0704819c2b71d2e6dcebd7276ba3a291da87708add6d9bd09d7ac4800bb1bf36f2ca1d84c26db637b225a5e333e2065f660f60

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
78KB

MD5
8396d50034fbeb2640ce4ccf485a9445

SHA1
3715aca09f803d4e0dd9b829fe93cc667dc703e7

SHA256
c5ccc96d2a97d58433590576dbecada3019cad8ac65f199e0578a13cb76265cc

SHA512
d58c8bb6db87652729cc92a2162424b2907d11715d687d14c595df4e18d1dd292936af92905c0021ae8dd8714d6420222aa057d498ec9114b264122db7dca7ca

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
78KB

MD5
dc49ffddaeaff4a26544f7aa41655aef

SHA1
bf0d6547da72d4db323a8a293a3dc6b68b6fbc53

SHA256
c50ad58c4eac2e6cfe89b822f467a36559435a05ed84819e2ca83e80c64f2eb3

SHA512
9c6387f2c11d564cee510fd188e593ff3a7424237537783a712afe6e3bd6944ca6d23af1669d69bdabbdebe98a3a7ca3674234ac3cd4ff2e171dc7258fce23fa

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
78KB

MD5
8c81b80fc092ff658e69fcbf55afb673

SHA1
c24500e19bd237a743541c0f861be69638c2896d

SHA256
8fbfbdf3a908ec19330551c624c69fb53aaf52f1db7dc6b77f1c309977cb7feb

SHA512
c79a094e18ca9503b794818a25608b27467193f25a3f9fa40749e7fdf078f59158cccc326792e63f34ec9006cb853bbb76d09441f9e85162dce1ab9016bcf728

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
78KB

MD5
52181d8566762ceea47b3aad6c0f5675

SHA1
b18ecfa41db984eb4ebebd040de4bea68a3707d9

SHA256
8fb32ee908172f2189deb3470a3a62e522815076f74d268bd5587e1b58cf539f

SHA512
2555a7a00485b2191dfa2956e9bd0aa7523ebf1393ec5d20cdd5227b198e9bf06f123d9570899c0336fd924a4f8b1b6670d476eaa1de99db24859ed901a258bb

Download Submit
memory/552-189-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/552-279-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/628-180-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/776-188-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/776-100-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1084-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1144-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1176-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-389-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1244-321-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1252-390-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1284-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-307-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1516-225-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-375-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1672-308-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1864-197-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1864-109-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1876-341-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-171-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2028-260-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2108-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-40-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2124-125-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2224-347-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-99-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2316-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2396-383-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-314-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2468-234-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-32-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2492-116-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-89-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2748-9-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2796-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-162-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2804-251-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-396-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2888-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-334-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2940-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3004-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-233-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3172-293-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3208-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-301-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3460-368-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3472-315-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3668-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3672-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-65-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3720-152-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-118-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3752-206-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3948-354-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3968-369-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-179-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4024-90-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4196-248-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-134-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4224-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-161-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4240-74-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-170-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4296-81-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-327-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4300-252-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-247-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-153-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-215-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4440-126-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4476-108-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4512-363-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4732-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4832-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-198-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4948-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads