53e482957bf384b9581b868bddda5c4fa51cc40f45dfd30517a4beb4b7d08764

Analysis

max time kernel
99s
max time network
114s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d6ca456cc5a86c8da5b1f70e251ab70N.exe
Size

55KB
MD5

7d6ca456cc5a86c8da5b1f70e251ab70
SHA1

b9b1fe6372344e6eb50ff4ad046c80b7d48ff054
SHA256

53e482957bf384b9581b868bddda5c4fa51cc40f45dfd30517a4beb4b7d08764
SHA512

ad3357353d4a3b236768777f720239d03fe08527e227071b93d39ad4b8f6f07c38fa88da809444731da82788c8d09be5dba12328c4873aaf3771f27d2f7bcd6d
SSDEEP

768:kyhaUzrc/hjkeg6hLskxJwOkJjHUWstTNSlX6tP3Euji2jBx24RN5GkY2p/1H54l:4wrkOeg6hskx2hZaNSlXYQgW4HY2LuL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	7d6ca456cc5a86c8da5b1f70e251ab70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe

Executes dropped EXE 64 IoCs

pid	Process
1640	Aeklkchg.exe
3212	Agjhgngj.exe
4032	Ajhddjfn.exe
2632	Amgapeea.exe
4448	Aeniabfd.exe
1248	Aglemn32.exe
3544	Afoeiklb.exe
4200	Anfmjhmd.exe
3000	Aepefb32.exe
2304	Agoabn32.exe
5020	Bfabnjjp.exe
828	Bnhjohkb.exe
2588	Bagflcje.exe
4640	Bcebhoii.exe
4908	Bfdodjhm.exe
4080	Bnkgeg32.exe
3236	Baicac32.exe
404	Bchomn32.exe
2932	Bffkij32.exe
1416	Bnmcjg32.exe
2504	Beglgani.exe
3664	Bgehcmmm.exe
448	Bgehcmmm.exe
1876	Bjddphlq.exe
4984	Bmbplc32.exe
3916	Beihma32.exe
2300	Bhhdil32.exe
4580	Bjfaeh32.exe
5108	Bmemac32.exe
4560	Bcoenmao.exe
3172	Chjaol32.exe
3056	Cjinkg32.exe
3284	Cabfga32.exe
4952	Cdabcm32.exe
376	Cfpnph32.exe
928	Cjkjpgfi.exe
2088	Cnffqf32.exe
1284	Caebma32.exe
3512	Cdcoim32.exe
3536	Cjmgfgdf.exe
1408	Cnicfe32.exe
2100	Cagobalc.exe
796	Ceckcp32.exe
1376	Chagok32.exe
3492	Cnkplejl.exe
3392	Cdhhdlid.exe
2396	Cffdpghg.exe
4116	Cmqmma32.exe
4436	Cegdnopg.exe
4248	Dfiafg32.exe
2344	Dopigd32.exe
1516	Dmcibama.exe
3360	Dejacond.exe
992	Dhhnpjmh.exe
3856	Djgjlelk.exe
4164	Dmefhako.exe
2424	Delnin32.exe
3472	Ddonekbl.exe
2524	Dkifae32.exe
860	Dmgbnq32.exe
4052	Deokon32.exe
3804	Dfpgffpm.exe
4932	Dogogcpo.exe
2840	Daekdooc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Gdeahgnm.dll	7d6ca456cc5a86c8da5b1f70e251ab70N.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4836	5100	WerFault.exe	153

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7d6ca456cc5a86c8da5b1f70e251ab70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	7d6ca456cc5a86c8da5b1f70e251ab70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7d6ca456cc5a86c8da5b1f70e251ab70N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblnkg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 1640	2256	7d6ca456cc5a86c8da5b1f70e251ab70N.exe	84
PID 2256 wrote to memory of 1640	2256	7d6ca456cc5a86c8da5b1f70e251ab70N.exe	84
PID 2256 wrote to memory of 1640	2256	7d6ca456cc5a86c8da5b1f70e251ab70N.exe	84
PID 1640 wrote to memory of 3212	1640	Aeklkchg.exe	85
PID 1640 wrote to memory of 3212	1640	Aeklkchg.exe	85
PID 1640 wrote to memory of 3212	1640	Aeklkchg.exe	85
PID 3212 wrote to memory of 4032	3212	Agjhgngj.exe	86
PID 3212 wrote to memory of 4032	3212	Agjhgngj.exe	86
PID 3212 wrote to memory of 4032	3212	Agjhgngj.exe	86
PID 4032 wrote to memory of 2632	4032	Ajhddjfn.exe	87
PID 4032 wrote to memory of 2632	4032	Ajhddjfn.exe	87
PID 4032 wrote to memory of 2632	4032	Ajhddjfn.exe	87
PID 2632 wrote to memory of 4448	2632	Amgapeea.exe	88
PID 2632 wrote to memory of 4448	2632	Amgapeea.exe	88
PID 2632 wrote to memory of 4448	2632	Amgapeea.exe	88
PID 4448 wrote to memory of 1248	4448	Aeniabfd.exe	89
PID 4448 wrote to memory of 1248	4448	Aeniabfd.exe	89
PID 4448 wrote to memory of 1248	4448	Aeniabfd.exe	89
PID 1248 wrote to memory of 3544	1248	Aglemn32.exe	90
PID 1248 wrote to memory of 3544	1248	Aglemn32.exe	90
PID 1248 wrote to memory of 3544	1248	Aglemn32.exe	90
PID 3544 wrote to memory of 4200	3544	Afoeiklb.exe	91
PID 3544 wrote to memory of 4200	3544	Afoeiklb.exe	91
PID 3544 wrote to memory of 4200	3544	Afoeiklb.exe	91
PID 4200 wrote to memory of 3000	4200	Anfmjhmd.exe	92
PID 4200 wrote to memory of 3000	4200	Anfmjhmd.exe	92
PID 4200 wrote to memory of 3000	4200	Anfmjhmd.exe	92
PID 3000 wrote to memory of 2304	3000	Aepefb32.exe	93
PID 3000 wrote to memory of 2304	3000	Aepefb32.exe	93
PID 3000 wrote to memory of 2304	3000	Aepefb32.exe	93
PID 2304 wrote to memory of 5020	2304	Agoabn32.exe	94
PID 2304 wrote to memory of 5020	2304	Agoabn32.exe	94
PID 2304 wrote to memory of 5020	2304	Agoabn32.exe	94
PID 5020 wrote to memory of 828	5020	Bfabnjjp.exe	95
PID 5020 wrote to memory of 828	5020	Bfabnjjp.exe	95
PID 5020 wrote to memory of 828	5020	Bfabnjjp.exe	95
PID 828 wrote to memory of 2588	828	Bnhjohkb.exe	96
PID 828 wrote to memory of 2588	828	Bnhjohkb.exe	96
PID 828 wrote to memory of 2588	828	Bnhjohkb.exe	96
PID 2588 wrote to memory of 4640	2588	Bagflcje.exe	97
PID 2588 wrote to memory of 4640	2588	Bagflcje.exe	97
PID 2588 wrote to memory of 4640	2588	Bagflcje.exe	97
PID 4640 wrote to memory of 4908	4640	Bcebhoii.exe	98
PID 4640 wrote to memory of 4908	4640	Bcebhoii.exe	98
PID 4640 wrote to memory of 4908	4640	Bcebhoii.exe	98
PID 4908 wrote to memory of 4080	4908	Bfdodjhm.exe	99
PID 4908 wrote to memory of 4080	4908	Bfdodjhm.exe	99
PID 4908 wrote to memory of 4080	4908	Bfdodjhm.exe	99
PID 4080 wrote to memory of 3236	4080	Bnkgeg32.exe	100
PID 4080 wrote to memory of 3236	4080	Bnkgeg32.exe	100
PID 4080 wrote to memory of 3236	4080	Bnkgeg32.exe	100
PID 3236 wrote to memory of 404	3236	Baicac32.exe	102
PID 3236 wrote to memory of 404	3236	Baicac32.exe	102
PID 3236 wrote to memory of 404	3236	Baicac32.exe	102
PID 404 wrote to memory of 2932	404	Bchomn32.exe	103
PID 404 wrote to memory of 2932	404	Bchomn32.exe	103
PID 404 wrote to memory of 2932	404	Bchomn32.exe	103
PID 2932 wrote to memory of 1416	2932	Bffkij32.exe	104
PID 2932 wrote to memory of 1416	2932	Bffkij32.exe	104
PID 2932 wrote to memory of 1416	2932	Bffkij32.exe	104
PID 1416 wrote to memory of 2504	1416	Bnmcjg32.exe	105
PID 1416 wrote to memory of 2504	1416	Bnmcjg32.exe	105
PID 1416 wrote to memory of 2504	1416	Bnmcjg32.exe	105
PID 2504 wrote to memory of 3664	2504	Beglgani.exe	107

C:\Users\Admin\AppData\Local\Temp\7d6ca456cc5a86c8da5b1f70e251ab70N.exe
"C:\Users\Admin\AppData\Local\Temp\7d6ca456cc5a86c8da5b1f70e251ab70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\Aeklkchg.exe
  C:\Windows\system32\Aeklkchg.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\Agjhgngj.exe
    C:\Windows\system32\Agjhgngj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3212
  - - C:\Windows\SysWOW64\Ajhddjfn.exe
      C:\Windows\system32\Ajhddjfn.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4032
    - - C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2632
      - C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4640
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3236
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:448
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3172
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3284
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4952
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:928
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2088
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1284
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3512
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2100
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:796
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3492
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4248
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2344
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        53⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3360
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        57⤵
        Executes dropped EXE
        
        PID:4164
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4052
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3804
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2840
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 228
        69⤵
        Program crash
        
        PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5100 -ip 5100
1⤵
PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
55KB

MD5
541c8f849e7929ce218dd64f0ba82583

SHA1
ebf2e69d8afbc4d83cc4a39ce6bf526760e32782

SHA256
9eec24388e210d011d26e3fb9e114533f417be966b8c1041f8fcbd28e5c51374

SHA512
f8965f34dbaa87848df5b891d3e6e38ddb1983b599788ef51a423fed26675e8e0c9527e94b57af26fa6b0e05721d1a6dce1a5a9511cb9b0a5b56038b8fba436b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
55KB

MD5
a26777931312be80c5df753ac5c80b9f

SHA1
6018bee5f99e246eedd61f771a4b33ee7b995a9d

SHA256
21614d50195c4a0fb5d64ff58ce6faa9478ce678fa2e8bad4141ac14f3908aab

SHA512
87969783478c14b853dee3bc91d8ef650fd33c08eb5591d26d9b472e5003435ee6b3936c66df09d12960c5df625a5045adc2a42dafd9c88381d357b07e886c04

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
55KB

MD5
4a9a254f50a3c39583dfd521af6971d9

SHA1
ba17cec20d3350e872d3d2c252e6389325dc870a

SHA256
80f30939954daf58873243617326b4c00fc72e262fe43dc7df157b9239ed2bf6

SHA512
1dc4ffed1644d31606ca9189c35e23566a5b3b02f48d23db20d8b894a8370fe9198fd8be0a20e1a197909a62df9c11697ce25ae8f0619bf8e6e6fdac043ebb64

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
55KB

MD5
c0107ab381fe789572a30572beaa4b1a

SHA1
d1c67ca6db937b9d4cd2540840a046000bdccbcd

SHA256
22af3acdd36350cba250f2c15e443deee12eaeae87cfd33f8f1d3dac41afbff9

SHA512
dc1b52fd4c66f597b7f3da401735bc433230688df330209f5ee864eca39150b37cde01bf1f6e1bc4e1e90ef94f83fc259f879f2685de3039ef26de878e50a780

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
55KB

MD5
5da66146fda358c183e7f7517d9d8f46

SHA1
5d3a8d160b75e5d48a4e816b53453a122ee52b5b

SHA256
160a94773aab0d3e340d8f5d4a7ab86ceb53722cc930453e1c7a5097f41686f6

SHA512
e5fc2df012018cf0a0dab24edc5fb2c3c16b4febadb5ae00836fab427b47799c2d1f3439d36556a07277594d41900ea412c902404a787ea16299f2dd727af82f

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
55KB

MD5
cdba7fde7e51e205f8d19c3c86d63da0

SHA1
a834d61f844de69f6e129de75dc96ad6bcfdc94b

SHA256
da46558eb8ab64139ea97451313e4f28e1b34e384eda476d530a41887085238e

SHA512
c4cb0e4634848c9a2348414b4711b01d58d2052ed2ff4afa1538330d1c2d1b00985ddcf25887125e138201ceda8da9f6897a4bfbeb0369e6b165e2a8ca7c521b

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
55KB

MD5
05e8da8148263b3757faec854f897738

SHA1
8badca43deb014c3043b4e6140da2d0b4ccfb645

SHA256
6bafb34ae663de711891c661082b874428f82fdb80fba2e808ab36db7c4bdc70

SHA512
3811f23e920aeaf695aca576091fe59d06c805f8e457661adfd35c15b35fe79d3a071a9698f93233354994f8cba5c42fee07b38ae38d97cf5666aa086b057988

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
55KB

MD5
473646ddef46b8069af055d67c037735

SHA1
375d7c67cadf08fd02ba235be7374abe0e71ecbb

SHA256
99f9da840af2cf7fcf13a33719367155782d5ad51bc17ac44384fe0f0770389a

SHA512
bcccf24661a2648c10e96bb3656338de85b3d16f5d00bb710b26469b5260ed447fa5fdc5850b77d059e22a62d6c2c1dd37a33f8716129ca89b9c2d3a29105479

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
55KB

MD5
33b1faba17c827ae7b219bcca719af89

SHA1
973d5898b007929c5a164b26b4af47940eede920

SHA256
331c7817dd354aef2bf8a67fa1d4709d5bad56f905ca726c32e84240a6fb11a8

SHA512
eaae83341daf6cc91de4bf6677f8e69cadd207898665416e82d1f4d2e919db0af50c43ac2e0bb8a8487e0a02e43107ada49dd99eebd9db603155ceb2cc7b204f

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
55KB

MD5
9c7ec7bca0031739eb8299eebcad6b51

SHA1
37d4734bff5eb218b3c522ba5717dfd31b6c0d6e

SHA256
5103093d2f93faa75e203329994775fad4ff89c984b266de8a380deca15e8a01

SHA512
584831f0120ac6f3fa602581504952fddfef98b12db1094d81f39a48f0c0e789ae51c56227ff98c38dfb183e278e13f4e6b40fab0604d5f36fbdcdc1f0b7b8f8

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
55KB

MD5
03dbcb067b24362c167f710bacd7e837

SHA1
90c51907678a6beb617d8e6448a89901f1c8be73

SHA256
9bc3806529660b8c398d3e6c137c89a3ec68e6fd5a51db1ac46bcea31bd29088

SHA512
8f0dc36e434025931c3fb996597a1778cf8ebc7d46f49463f5fac1c56a1a8096c9abebdcd60c540fe2c388e87e2b36fc01b3b8cb47e54274b01deec2037388fa

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
55KB

MD5
d392978cf4c3f64fe6d7a11e9803490b

SHA1
a933f821529b9fbf3cfaf2954ef5854484a23c53

SHA256
e2594321356e5c60ba8da61ee52ea4ae9b63d1522bccf258e433e5082ba91f79

SHA512
5f6d42e4c93150bbdc95c27890ea8e050167dc112ee7ea49f6779df775bfe9cdbed43cc8df4b94fdf52e2d425f1392917a3f09c42c08c075e9b98c4c0de04973

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
55KB

MD5
b11dcccbb3a23e991b438170fc3f5365

SHA1
aee8d8e402ae057110d655e2e1c3f56b1abc2da4

SHA256
56f2562de43865dd0ca52654acb5140bc86b735c0ccfb77a49fd092f7313533f

SHA512
c819d728f31e385f0c0afc87d90f53fc0f759fe026774f8c134007e8089baf02780d73c32692195dd8d83192948219e89196661b7f3da825409fa18d1bc1b41d

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
55KB

MD5
c238f9bde07644a7778190fe8502c726

SHA1
d882f246c4b808138b6ce680106126025d3d5cd2

SHA256
0bcf5d61d429011cfb01c60a1a719858cc46d75033c91a7156471000d68f2ddd

SHA512
e2d6229c82eeed1298f532fb69a7f47f51a12460a80664a5e330a861ef07626269b205eea2ea8805cb62f0790b28d7f1fcc842571f03cd891bbffad638fd1538

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
55KB

MD5
0cee829790e6c29f2b8af43011d04297

SHA1
9e387d18aacb2c383080e2025aded5a68ae6fe0e

SHA256
157b688b750ac0cb497890da815027193be684bf239f6a83685a1078b7399aaf

SHA512
08901fcc9da0a0703caa199ca61e31dc23a65dd5b2710ada748f4f54dd6505c21d1bb646521861bca1e42bc466ad09e8bc67e0f282aff4092f4534f7140ae2c1

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
55KB

MD5
491bcf542204617ab541c796f7fefd87

SHA1
31b4cfda0a8cacf2bd1e13d193a0ff82cd46f2ba

SHA256
bf25eb4b9f50b73d5c4b5df1ffcdbe37523ab5e7fa1e070e3ca51eeabd0fa150

SHA512
51391421539fd758f92c3bc068681cf66dc9de3f58b8a2c3fc9f25d0cb15417a2dd6527382aadb1d5411b434fc96b8013c614eae5a3b22b44f7652940d4c5e4f

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
55KB

MD5
401810d02f93dd1d8379e4f275bc5631

SHA1
b3acad48d720dc280b85ee4f5a55e3c67be2d967

SHA256
3ff3ee2ce994c74e219a7acef2f2129d260d9d94774db0862c21e0278d35c617

SHA512
de57177840ba08247ce439a35b29c17a0937e5d7f65b881a5eea7371908e1fe24fc1374a9b31800f90635cb8430da45312d3dae2244bb4cca22142f49dc8d250

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
55KB

MD5
26a7c19cb0f57909d23fc8eebfb10fb4

SHA1
974276e9c3c78ed18fdddd77af9ac307ff991a5b

SHA256
7f0e2cbc17e8c2c849cf19c55d80f663ea5874627151f06e6e994b11f0d1900e

SHA512
b3a69b88b48e8663484d8949726a84794167d094ac1aecd95ee1103556d9c70e3c565fbd6bd6f85851564d23b597ffc94f74384d2c94694e23a88763da48498d

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
55KB

MD5
7237182842d04bb7a110a1aa6523c62a

SHA1
5a91285a89cd662d475865752acbea6fdbc3f18c

SHA256
118ac845e33e3b0aed744c419acab121ce59123fd72ad166ad70ac81887c20be

SHA512
6fbeba7b6e1c79aeef581e428163f588a1219f72a5f10bb1850de4116d00776074e62b14095d27ac73c965090f11fec7d77d2aed5ec05180f867ec1469738df0

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
55KB

MD5
933f01f9af279aef93f6f1310a341896

SHA1
accf518745c4a7111fa9eccfa51bbab6a9f05931

SHA256
f3dc287c77fba7846c74bc92201d1b50142227bee4bb274145ee1ebd884a0b30

SHA512
3af0a9dc7ed682fd0a9725e084694cc14f81a279525bc64e3b01b40aba0ce8419f1b1e0288a0dd5a6207a4b5f5771174b374917f093befb1805963b490fa1631

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
55KB

MD5
8e4cd75c62a90a56961c8ba6c7ecf828

SHA1
504ce1d69444d74558b8d7fef0bfdfb73a77b36f

SHA256
e216c34328c3a3fd5ab9f8cd747bb2a08bdd534483a7f8033df90dfa58071f3b

SHA512
83b808b51ce52d230c0f0389a6f7e8b2b26824b57bf582016e1a70794f00694c6d8779a0fb518a27e2c982c8635d622e0cc36e7cd1a6a54cf496447cf2bd9ad1

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
55KB

MD5
fd163691fcd02f90d8cc64fa406c6593

SHA1
2ca542b72cc31624207a4dad3b679f91db95871f

SHA256
f0e73205783357f3548fbad5c1b5b1e1580b3bf6af7bbc7e8fe423685d25ead7

SHA512
e90e8800a4f38900d977f7cb8eee0d4c9a2fd7d59d63573f9dacfb418733c44edc4c86c895d663c0205675fd9e7a2f81e88841c34631fa821f6079dfa7ad4a95

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
55KB

MD5
e628aac4872741e4ecbf42c4a5dc9dd1

SHA1
1a9568f16bee11f9423db4e5a65c31e3d7292d5a

SHA256
f7c68a9d945533a021f091d10e9379b5de42851d04dccc4bb46def378f23a313

SHA512
8086bb99e6325406da0d7b4b0ba497e007827267a9d76fe4895b3c505af4750e6fcc70800bf2ad6fcfbf06325e726e4d93374a1a52740b1d139e3500b06ca3da

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
55KB

MD5
bb148977266e7f282f38356632e9e1d4

SHA1
120cb898f1ad1310d47c6e216dfb17f30d19eedc

SHA256
dc26fa1f8ab69673bd12e193f5580411682c73ad5a3521dc9f43bf95b1e48083

SHA512
53c5e577e1490780b585babbafb72657f10494a0411a99173e2742ceaf9a579a598a92018222dbb5303302a35da76d82d534bf0b7a63a490d853798fd5010c3a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
55KB

MD5
22e2e89f52ca48494e2783ed09f9688c

SHA1
d7cee416a4e7e648cbb749780115297f39dd7789

SHA256
25dc737fe91a75c45ec4f5d541665bdd1a4bd8d848285aeee3965fc7c5240dc2

SHA512
85cb661dc92c4c8abb57867fff6f322428e3be3d247f6dd4592a4603e44268239184ef3394235c51fe30581e2da7912536c0db33f446d3e09ae8eaa5a23250b4

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
55KB

MD5
707dbfa183902652e18d89529e118f1d

SHA1
34b5912a5dd4cf2224bf496df090d4b7baedc46d

SHA256
037e78e5f1ef5fb0f61f7503eba651432dc0992c920dd434ae4eda5b80323b25

SHA512
6a2fe040433f833d638719787b31e6b7b662e6b34ffc42cea888e25afa6acc4f2c2cc7144e455da9390649b169071c5e0949a8ec64a5c6baa60ece078eb7837c

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
55KB

MD5
dc8b4b16e888146af8cbe81011aca02c

SHA1
14267fc4645d4d29793cf89a09d54eb9d6c9cb24

SHA256
1c775c4cb35aa15f38d0cd929ae782d5ef2ccf5cc3d4a47588af4cd3efed0d0d

SHA512
f6bcaee2f1a2fbc792539e84073e757f91d4abb613134e485e8c80825d0733b3bf4e47b33577c0b7051747898cd22ed178bf59c927ad0d2643ac8d1a37e5988b

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
55KB

MD5
14607cbd74b0eaaed3164348267fb0b2

SHA1
ecce631a85087013f6377a97116dcfe530922abe

SHA256
ef479b7b57751b434991b556b92dbdeffa6aaa32f0088b58990571b52d87ccba

SHA512
04c9b9f69ca889d8022fa72d8e52c6975a9a66846fd6da75ea5d27fb50b01ff4c3f3b4b88ee2f1cc9cd7afbede18eb4c9de660ed0d9bc232fe82ef71481f05a6

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
55KB

MD5
069a76c4c1a62395e6433d78b7644b2b

SHA1
c72d28cd1837607b896b609cda1b52466282ce3b

SHA256
09cd8a865b92047d2b5e8191c494907e1f97acd551f05c13f2dcf77dc0fa14ea

SHA512
99502024ada372b83c133b90d48708f58edb41cb22d9ef0ee007e8ccbd692a3299ad7d04cf28737048681967126e3508ec1d9c149f7321f468a7e212f745a147

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
55KB

MD5
7a095959d8cb273de485301946f2f2f0

SHA1
a4b53d27867f776043b3ecf1cb27c269875a5769

SHA256
bd44df202f81e0ea53b482b1ddfb511f869f000dbd440185fa70c69d4fcdf0b5

SHA512
1f55537d1b4face280b0fb1417ac9140347f50e2c56616742977453f1f4a609c95b401a25912c9faba47cef037f12e6d966e28a37c1cb74989e2dd5248d08430

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
55KB

MD5
4d060295c39a480727fd231cb8ecbbc3

SHA1
4746d392a3bc7ed1ad21304f7a15411c55243bec

SHA256
c7b1b7e62be307ee045ac31a0ada2b4ddc3eea28640c37b22629f8a312a72e34

SHA512
0c201fbd26a91be3c80e0c7f8642c061cb08c21a47209bcbc9f4a87cb7f05e131d3a658298025cfbe6d077b465263e7f4bcbb04e7acd44bfc3b088e1b212efaf

Download Submit
C:\Windows\SysWOW64\Dfiafg32.exe

Filesize
55KB

MD5
4d349cd6eed077d504c5233c8607479e

SHA1
b163013c1c1322fe50c19035467ad2807fc590fb

SHA256
631ccd6399a19482a336d6267c4f8c4bd817ba554c42c064fe26b5e146b78974

SHA512
567fa85aadd8db60ea52b69a7c463e097a14d866c2aa5288f61987bc13fe4db1526a37401d2472bed0e0a175e3f1d0b738a39faefd2dc78454c9e9175482cb3c

Download Submit
C:\Windows\SysWOW64\Ebdijfii.dll

Filesize
6KB

MD5
5262c893432ca6a1f8280b63c50021a1

SHA1
d2940a056089c7cddc20401b7c81e535aebfca43

SHA256
94b11db532534449484f6c9156aabfaadf24cc8e079dfb1b4d75e5417bbf596f

SHA512
9a1f7c56385178962342e5048eb4fc4e4c8fbff333fe9bfe0be5e50335967f2e122b71e8da5466e9cc449a1d30f3726e38206e5fd52e2eceede88b9b59b99ea9

Download Submit
memory/376-271-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/448-181-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-319-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/796-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/828-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-421-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/928-277-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/992-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-468-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1248-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1284-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1376-325-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1408-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1416-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-373-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1516-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1640-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1876-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2088-283-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2100-313-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2256-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2300-212-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-496-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-367-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-504-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-484-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2424-403-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2504-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-415-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2588-105-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2840-470-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2932-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3000-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3056-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3172-244-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3212-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3236-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-259-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3360-379-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3392-506-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-409-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3492-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-519-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3512-295-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-517-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3536-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3664-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-474-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3856-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3916-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4032-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-427-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4052-476-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-502-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-397-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4200-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-361-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-498-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4344-466-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4436-500-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4448-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4560-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-220-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4640-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-120-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4932-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4952-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4984-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5020-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5100-464-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5108-228-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads