58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc

Analysis

max time kernel
136s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
Size

89KB
MD5

6f7b8f01ee508b6c8c5397fa7a6803c5
SHA1

6de0a3f798521b2b243cebd6415338e39cc05037
SHA256

58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc
SHA512

ca6ffcbf8859171e90f04439e123583da30a5238ca17626422595107cc9b8a33953dea9343f43750f13d2fe8931ce155fef03d788c4cc5a99edd68eb22235759
SSDEEP

1536:azNwXf5sTzhXNS1kp4RWRxp54ybZrqOeKuARU19EzcElExkg8F:4DXNS12M4xPBblqOuEzcElakgw

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe

Executes dropped EXE 61 IoCs

pid	Process
2412	Ajhddjfn.exe
3708	Amgapeea.exe
1896	Aeniabfd.exe
3504	Afoeiklb.exe
3380	Anfmjhmd.exe
3048	Aadifclh.exe
1068	Accfbokl.exe
4048	Bfabnjjp.exe
3856	Bnhjohkb.exe
4104	Bagflcje.exe
2236	Bcebhoii.exe
3924	Bjokdipf.exe
3400	Bmngqdpj.exe
4180	Beeoaapl.exe
816	Bffkij32.exe
3960	Bjagjhnc.exe
1328	Bmpcfdmg.exe
2400	Bcjlcn32.exe
4516	Bgehcmmm.exe
948	Bnpppgdj.exe
4228	Beihma32.exe
4564	Bhhdil32.exe
1636	Bjfaeh32.exe
2192	Bapiabak.exe
540	Belebq32.exe
2736	Cfmajipb.exe
1240	Cmgjgcgo.exe
2264	Cenahpha.exe
3000	Cfpnph32.exe
2116	Cnffqf32.exe
3660	Ceqnmpfo.exe
1508	Chokikeb.exe
4536	Cfbkeh32.exe
1596	Cnicfe32.exe
3908	Cagobalc.exe
4860	Cdfkolkf.exe
3648	Cfdhkhjj.exe
5012	Cjpckf32.exe
1272	Cmnpgb32.exe
2176	Ceehho32.exe
1400	Chcddk32.exe
2900	Cjbpaf32.exe
4004	Calhnpgn.exe
1812	Ddjejl32.exe
1072	Djdmffnn.exe
3148	Dmcibama.exe
3156	Ddmaok32.exe
3728	Dhhnpjmh.exe
5016	Dobfld32.exe
4472	Dmefhako.exe
3488	Delnin32.exe
3508	Dhkjej32.exe
4856	Dfnjafap.exe
3448	Dodbbdbb.exe
3672	Deokon32.exe
1564	Dhmgki32.exe
2420	Dkkcge32.exe
2832	Dmjocp32.exe
1716	Dddhpjof.exe
4268	Dgbdlf32.exe
4600	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File opened for modification	C:\Windows\SysWOW64\Bcjlcn32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Accfbokl.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4572	4600	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 2412	404	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe	84
PID 404 wrote to memory of 2412	404	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe	84
PID 404 wrote to memory of 2412	404	58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe	84
PID 2412 wrote to memory of 3708	2412	Ajhddjfn.exe	85
PID 2412 wrote to memory of 3708	2412	Ajhddjfn.exe	85
PID 2412 wrote to memory of 3708	2412	Ajhddjfn.exe	85
PID 3708 wrote to memory of 1896	3708	Amgapeea.exe	86
PID 3708 wrote to memory of 1896	3708	Amgapeea.exe	86
PID 3708 wrote to memory of 1896	3708	Amgapeea.exe	86
PID 1896 wrote to memory of 3504	1896	Aeniabfd.exe	87
PID 1896 wrote to memory of 3504	1896	Aeniabfd.exe	87
PID 1896 wrote to memory of 3504	1896	Aeniabfd.exe	87
PID 3504 wrote to memory of 3380	3504	Afoeiklb.exe	88
PID 3504 wrote to memory of 3380	3504	Afoeiklb.exe	88
PID 3504 wrote to memory of 3380	3504	Afoeiklb.exe	88
PID 3380 wrote to memory of 3048	3380	Anfmjhmd.exe	89
PID 3380 wrote to memory of 3048	3380	Anfmjhmd.exe	89
PID 3380 wrote to memory of 3048	3380	Anfmjhmd.exe	89
PID 3048 wrote to memory of 1068	3048	Aadifclh.exe	90
PID 3048 wrote to memory of 1068	3048	Aadifclh.exe	90
PID 3048 wrote to memory of 1068	3048	Aadifclh.exe	90
PID 1068 wrote to memory of 4048	1068	Accfbokl.exe	91
PID 1068 wrote to memory of 4048	1068	Accfbokl.exe	91
PID 1068 wrote to memory of 4048	1068	Accfbokl.exe	91
PID 4048 wrote to memory of 3856	4048	Bfabnjjp.exe	92
PID 4048 wrote to memory of 3856	4048	Bfabnjjp.exe	92
PID 4048 wrote to memory of 3856	4048	Bfabnjjp.exe	92
PID 3856 wrote to memory of 4104	3856	Bnhjohkb.exe	93
PID 3856 wrote to memory of 4104	3856	Bnhjohkb.exe	93
PID 3856 wrote to memory of 4104	3856	Bnhjohkb.exe	93
PID 4104 wrote to memory of 2236	4104	Bagflcje.exe	94
PID 4104 wrote to memory of 2236	4104	Bagflcje.exe	94
PID 4104 wrote to memory of 2236	4104	Bagflcje.exe	94
PID 2236 wrote to memory of 3924	2236	Bcebhoii.exe	96
PID 2236 wrote to memory of 3924	2236	Bcebhoii.exe	96
PID 2236 wrote to memory of 3924	2236	Bcebhoii.exe	96
PID 3924 wrote to memory of 3400	3924	Bjokdipf.exe	97
PID 3924 wrote to memory of 3400	3924	Bjokdipf.exe	97
PID 3924 wrote to memory of 3400	3924	Bjokdipf.exe	97
PID 3400 wrote to memory of 4180	3400	Bmngqdpj.exe	98
PID 3400 wrote to memory of 4180	3400	Bmngqdpj.exe	98
PID 3400 wrote to memory of 4180	3400	Bmngqdpj.exe	98
PID 4180 wrote to memory of 816	4180	Beeoaapl.exe	99
PID 4180 wrote to memory of 816	4180	Beeoaapl.exe	99
PID 4180 wrote to memory of 816	4180	Beeoaapl.exe	99
PID 816 wrote to memory of 3960	816	Bffkij32.exe	100
PID 816 wrote to memory of 3960	816	Bffkij32.exe	100
PID 816 wrote to memory of 3960	816	Bffkij32.exe	100
PID 3960 wrote to memory of 1328	3960	Bjagjhnc.exe	103
PID 3960 wrote to memory of 1328	3960	Bjagjhnc.exe	103
PID 3960 wrote to memory of 1328	3960	Bjagjhnc.exe	103
PID 1328 wrote to memory of 2400	1328	Bmpcfdmg.exe	104
PID 1328 wrote to memory of 2400	1328	Bmpcfdmg.exe	104
PID 1328 wrote to memory of 2400	1328	Bmpcfdmg.exe	104
PID 2400 wrote to memory of 4516	2400	Bcjlcn32.exe	105
PID 2400 wrote to memory of 4516	2400	Bcjlcn32.exe	105
PID 2400 wrote to memory of 4516	2400	Bcjlcn32.exe	105
PID 4516 wrote to memory of 948	4516	Bgehcmmm.exe	106
PID 4516 wrote to memory of 948	4516	Bgehcmmm.exe	106
PID 4516 wrote to memory of 948	4516	Bgehcmmm.exe	106
PID 948 wrote to memory of 4228	948	Bnpppgdj.exe	107
PID 948 wrote to memory of 4228	948	Bnpppgdj.exe	107
PID 948 wrote to memory of 4228	948	Bnpppgdj.exe	107
PID 4228 wrote to memory of 4564	4228	Beihma32.exe	109

C:\Users\Admin\AppData\Local\Temp\58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe
"C:\Users\Admin\AppData\Local\Temp\58efcef5140d124f32171eafa527109bc9f3e0b6f7edf31d2f2d420cec915ebc.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\Ajhddjfn.exe
  C:\Windows\system32\Ajhddjfn.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\Amgapeea.exe
    C:\Windows\system32\Amgapeea.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\SysWOW64\Aeniabfd.exe
      C:\Windows\system32\Aeniabfd.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3856
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2236
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:948
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2736
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        28⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1304
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3648
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1400
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3148
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3156
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5016
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3488
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3508
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2420
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 408
        64⤵
        Program crash
        
        PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4600 -ip 4600
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
89KB

MD5
0959770c4a422bd1e2f3f3af2f542437

SHA1
3238cfd115076de24580ccfd2a46e74db9991c0f

SHA256
5ec0421ac1560b303ae141769c0531f72215e50b5705fd9c99ab4e04b4bcc12c

SHA512
0b6667b401ceaa7ed8a63bce51f62ad8ba18e6fd816a3c8d87ab6c06999cbd044da633013e79af46467c8b62790b908a9755ed7fe0b01a7b194e03eb8d685e6f

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
89KB

MD5
85a6444465fc59273a0f286c50a6710e

SHA1
1caf96a4a6c328dae9ea082e86508f06f08f2b83

SHA256
1a86a66e90fa0c173be0330e11151cef6ed973a664a39f8b81c1de184a1f3fc2

SHA512
7a0480046e16c484b7ea02c335b9b5dd24b0176d7428d364f8abffa967e5fd935f5e86c518a9455b7929b84f981be3b7678a7720f0b125d7a82ff5c746c7da18

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
89KB

MD5
e95fbd6b77056cba013a352eb0846858

SHA1
37e663c87000102dfc5cc23dd856242858e3d17f

SHA256
673146de98329951a6ce605053b94550debfc6401bc157e890d75dbbcaa20dfb

SHA512
279fd64120525bc8d0f0d5c46664b4f608cb45ec30bb535ac29b0c261d5e60a5c6a148ba09876fac780525690c2b954d9ff53fad53a184db164367fa5c81744d

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
89KB

MD5
fba61816e26c9b0c2609d8e09778bc1c

SHA1
f27cdab2f950d02820e97bc68f0828bf65660e0a

SHA256
7196af6e2f7a56046cd606d943186a49acc296eb31e666ea1fad5e1fcf90a289

SHA512
4b07315f78dba92552d62c11ac5f3e9d8531eb4ce5c977323c29ebd5cb4055854acc462e922986e423e630f700784a17303715b3a0d3b526ce61d3d3b4b15548

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
89KB

MD5
181e5342fa2e23e3059528398afd833e

SHA1
da805f5a6cdf0ec8a331e737f28537b930ad4829

SHA256
e0edad01c010c08e6236f54254380ac885aee32836040b9bfffef756314ae4a1

SHA512
15e3d92520f25ce6493fccd0ac8735787afd5a7fc98b45e4b19a977eb77bb26f31a3d4941e3b999672725007c150914667fd72a2c73bab05ec430bfddb051278

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
89KB

MD5
373d0cb33fa02932d5da9a180b4a7a40

SHA1
f9580a59c673575cb7e3242c1fc520edb3a0592f

SHA256
e35d4ad62184ff43f23639dc993e72d75fb6dd75ccd6ee6bf444a22f6d95c924

SHA512
904c1b7d402b9ba6d2af4a92b4398d054f9610b64df902585fe99b6b8d954fcd15ed06c108b7c706ffc790e3750abceb8b5e3e1b3efd8233f860b5f1b6fffadb

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
89KB

MD5
02d4e82595f8a11ae1f346fe038eb629

SHA1
268082639312c4a1488e033ca0561753100b13e2

SHA256
45c17ec2f02b51ea42af153bfa0049d95bb76b35e91d221148e07fdb48e9f55e

SHA512
3ed15106e8d093904d7010f721f4a121e4020d203f546d5bdc5eeeb1990dfe3634bf1e2cbd2240c7153056a38eeb7a85ea1fddc1907026b1a8bc05a7ddcf75db

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
89KB

MD5
0fbee1e2d7c2787d97a45c4dbdb38176

SHA1
58a875d1bdb4d58e10f5c4f26448c1dcfc830585

SHA256
97acf7d706f1d0bb12a158104c5a514331c3126c0bafe2e38f1a84601f553bec

SHA512
8ffe29dbafdad9e7a3f3696fba1d418e17297b8fcea847593b8dc4631c1eac42ecb1c5b7be387b8dc5839df08e2ea9e48669bb4cb7234c10acacde2d140fba15

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
89KB

MD5
99c7a6cef41e87425e08c5a7e61f0be0

SHA1
8762134f86719fdc50739306203f881c19145852

SHA256
9ed6a0d669ab913a1c8e867f0a766c715ff5f6fa017cb158f60fbfc4eec41e3a

SHA512
09e67d357a6571396cfa683077286e5452fc7d09b9f453858c9680658a744e3485abd838c7358a9fa56465e2b9eff5e899695064ce5d79acc40b2b071e9e6f22

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
89KB

MD5
d889ace8802137d378da02e3581a9218

SHA1
9338546262ff3108925c766d63007b55b3688051

SHA256
d4906d10e02d9cebbbb7ed933989eb41f5eded4aa027d6b06254d6a7ba9f07ac

SHA512
32f5ebbb39c7db9dde48e4e4349936a0135d84cc0674c3b7791605ff38212afad4f4f9f72789cbe0b6649559bb1508848f6d27585582f0ea3654dbc4e843ffd9

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
89KB

MD5
c3b6e2bde5b78b760beb003fece208b9

SHA1
c31c6b00f145cd7069dd3a116a60e73b64ba71ca

SHA256
a722199d004e39407e46cb1c7fcc10cfb3550d45f62ee224fb7c24c5a045f6d8

SHA512
0159b3928fa4ed375833ba97dd2a5601accea79f5d9c7bfe2c788a80139e8b085ef0ce4d6acc888f5131512c3ef96ff44c87916b21aa006d44b541cbe7add31a

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
5837467b71fa191c17558f8218ec7bc5

SHA1
c63c551df03d1be24d15915c01e0244ae6c11f00

SHA256
77244cdf16d6285a7b15ebcf1ed25c6e75c89b862ca33484b7d0e2d418e8a8e5

SHA512
ae1750968dae28283595bbcc4cab7cd3b1d5dcd435bdfe0ce939b2ef0c6eec441c2f5ffe4f15cedf7857b5fcc8655c1961a52ddf82083b7683b8bffdd6220db0

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
89KB

MD5
cf65ab10b22d03b7abe40080725ffd10

SHA1
f623c281e8cc966f157bdbf4031e9778c29dd6c2

SHA256
c3a6e98cac10424fdc8c5698591d8124e76afb1a3d35b6e756ba96dbc3b00d39

SHA512
1db7607b33819af405d6a983a05da82f3a763415b5f581ed35a7761fcccc9a26f775d09746917fe27376c42eabd1fae117c6cc8ddb4eb1bbed5127cefce4a34d

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
0c238bce5a6c89bf6cc28fabb8a6531c

SHA1
dc642138b9871e0e6ead91beac30bebb8fcdffb1

SHA256
92d13ab7c8f999b134ad0f416b0e383de13765b9d2a07c539fb41e0c837be18c

SHA512
9ec2d571f07b3599f857c2119f2e609dbbdf6602a52172fec1a94aea91125b9f8d8f0714d56f507a102d347a14992dea276f98f13c278afe64cba9f34c26ea90

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
89KB

MD5
e874ca81eb4e7b12bb15c6fa6eecd23e

SHA1
44f7540367942c71f670215b12971e2c8937a86d

SHA256
35622ded9ec0e74bb782eb6dced3127a8f4be531518802f97eaadd183d4b8eef

SHA512
64fac4377a389d34d9f4d69a86386a253b25b89a17c4ac9894e1bcdf09b086a2dea006da0b6ffece960944c39219fbd6bbe99c5dea0f521dceffc9875e98d1ae

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
89KB

MD5
97c77f3174460251b837aa44e3980433

SHA1
7417f74411dfaefc3da86fdeba2f4b45a09e1de6

SHA256
8811c0775f2fce7d8f5c63cf442b75792926ee477f4344b0a5b2bb2df166095d

SHA512
dd5df188a04faab2ca90e94a8f13b9dbd241f64faf363822741c66c6ec3296f38ee18c0f7fea1213ba36a433da243e1e3f13f7a0077f7d4fb9f5c54c1c1c1ee6

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
89KB

MD5
a3359d1c7b5817d3a63c8b24aefddc99

SHA1
ca913fc56595069e8b5e74943a6af928349a4506

SHA256
1566ea97b1d12950b220290c3f152deca5bb53a82c6227dc331e43342974606e

SHA512
3f386eeb229e99cefb8f370f84d9626e78ef8d165336ac7670ecc0fd97c7be68c2e1383f59c4aa29c037c8c5231028fe18c09017ebba020046ec73487a9661f9

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
89KB

MD5
0dab47e5685a25f7b66c75fedb9dd416

SHA1
e1923cb192e6a8a583e1b406aeced081c0dd451a

SHA256
9582c3cd69ba91e7d9b3d36b3f3c25e5f84b65228cb5ab333eb0a3df9cf52bb4

SHA512
3f1830d879d568db947434a953cce2359d1d26eb0e426b80b35c64b44c06dec49d79e89c42a5eddb0799974d3cd596b366360a6575e66bf59ee6e059ea0569df

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
89KB

MD5
1571450f27889d4f00c4531b5039a441

SHA1
251a584f83f3a2c1fa46937fe6bad6cd94af94de

SHA256
5d7d4ce5d470c9b8f63431ab86715b2be90d4f920d2b160c79f26113da818b6f

SHA512
23353ab484c03d62d59722ef798cdf309742859082ef03f3f9e3d2889d7beedce718703602eb8e9692b31148e56c7d96dc6cab61cab048865d0a893b3a369028

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
89KB

MD5
9fa678775aeb38d35241ff96ed0ee3fc

SHA1
0bf7dd4cb2f3abafc729080fa4245f98e881ffae

SHA256
5ebe5bed385b376292add5be3a88b5795ca7de7c91ec136cdd2de140ccb890d7

SHA512
39f5ea380d0f9eebeef0441870c5138b034d395431e86fc09be3e8ff79f9811af36eda5953be8bf5e180581fde7f1f4e40aeeeccb69a5e818d3e0410f5ad18e0

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
89KB

MD5
7d1a73e713eea972a66b58791f033645

SHA1
7a4280ab339320a339b8bcfe4dcd4feefac9a81d

SHA256
3ba6ca8c005dadacfbe9acb4b7353f73dcd3dad9812b308cbb5832d1428bf0f5

SHA512
c348c5aa6f7c7e5b6db9e688f26f92c3de3bbf0f52cadd49960b157f528920b273496441d41e74eac874e02cc65852064107e1707dd629503c5019d9ce5e2334

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
89KB

MD5
1fa94955c70eca627abb09652bb5cb75

SHA1
d120709f3bcf32f5dd109835a499869a45be6265

SHA256
b6cf077a047637692e2b3ff00f745b77cf76d5185f2e608e072c96eb77063d2b

SHA512
5e58756951ef95bde13a81b8010c36d7b9216045531afb6c35f4a00aa144b2121f83abb5561779f5d8ff7b90b11192d14b124974229f346b4f9611507f655ad6

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
89KB

MD5
18baa233c0066a9c452e6885e1c0047a

SHA1
9f7f48b9a2dc6a7a1b29642ff47786c21efc61ad

SHA256
774a920bbf55f71bd15a63aa717401f18c9ef0daea85e25c7998771c54c8135f

SHA512
3997a136633dd62a29d395b68d66e1b26b825d9a257b74e8a34e2a7a22adc8d5ead28b2872082418c1dfcf19f81fcdff2e0b5c1dd93c46816656ad42b293fcf9

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
89KB

MD5
fd68664735d2bd202e9115b9f3a0934c

SHA1
17d5cfc59499742a204d6f09a8f2ba31455d5e9f

SHA256
ea1c4aad4e797b0ffd38e45b6ec3e9254176ca72774a3f87e809b894615bfad2

SHA512
afa7428478d1652429abe0476b8978728c6be929a5c4643eed40ad4d73cf5d9c4d5bdf1e183a01a7a908c4284a593556e59074e79410506d77115bad04b53267

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
89KB

MD5
2374db14aeaa023858e136cb32688be7

SHA1
859cb4567a633c26251fee906a9a69abcdc508c9

SHA256
d988b78c949d9136752628e0ca123ac3befb403444856ec1b2f79c5ebfdee761

SHA512
360eb8eab66af3fbf3c65de1cfacd31c6be1d658fa7765272c5fc3bba962b7df327cf946f6d6d5c5cf016ec69fd43865a74b6ed4b6ace3ca3e9b06a5ca0ddbd4

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
89KB

MD5
d91810985b0142c4d3586e4e114a8d0f

SHA1
5af68196ad86245da189c43969cb32f75cdfc2db

SHA256
f998761cd5a75de6ec2057b547fc68138349381fdc7f3ab84c78861da24675da

SHA512
7670c15cb861b504b2e9d07b5aff400ac76395c35ff5aab20d5cd4df5ae80273d3cf88fd021e7973b7c1ebdad197c6219a1bfe9e8e209e172c50ff959db6fa57

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
89KB

MD5
2757093df1506adcfcaeb6587aa30535

SHA1
e4a9897a15c7d74a2beb1bac9794f23b2c6a76f3

SHA256
d75676f8632aeb6671f88c27f9c0a739521a0e2e96c55a574e97ffdf14190103

SHA512
b7869036722a49aec33e8a110ab5dd692ca88b193dcc19cd13c6d1f09767908110f88fa4f5270585d669f1099dc6d1d13eec41bb46c32fdad42eacb7ac8e4033

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
89KB

MD5
d595c37561539cb3c5fa5158b23ae610

SHA1
bf96a6dd4b8c4673ebf0a84a4684de50f1aa41ec

SHA256
f07144de7263adf02ae1bec591650ddd74fdc122e92ec5e4d291012721234f8f

SHA512
a1bcb176ced91c414fed7917ea2317a83cbaffacdbada10fcd6a7111a6a9d6ecd07680206fae788a1eddfda40a4afabc38691c7199445229a21ab98a126fed77

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
89KB

MD5
8a3cc1c60e292e93fc949fb3fa254c23

SHA1
a64fe1b09658ac5859a72d956d1cbd6441fd7a26

SHA256
210c9d8f299e0e41dddb70b86f0d720dad05e7f5cbfadb206a351e1f3204996e

SHA512
ec75c1395cea5850d612888605ed978393761b9c3fead75808d58d7c50c4191234853e4586c6fafa592b812a11c2ab16b0fcb2720d05a05b97e46361d0580b9c

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
89KB

MD5
98f399ab3e5070194f95fe57a0ba2839

SHA1
7af0f9ec0d6d394fb75b7593658b4a499bcf8756

SHA256
fb3bbed1351d3d1d145f16febf653881f80e1aa20da11b224038ad5e2ef0f036

SHA512
44d59126010668511046b4b14cb7b0bd6b0d97859f17fb0eba8e9f1ed2fbbdbcb5dbc810b1dc2ecafbf98453ecf1c25f3c104c0e16bb9d516ecb30e170be7c4d

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
89KB

MD5
d1012b9a65d92107f0de47bd9d9d381d

SHA1
d73d83e422a723adef18d002194d1bc9018c7cce

SHA256
4313dfab4894039409d58f8f38dbe68de9e05067d6dce9b0a01416f4e3031316

SHA512
c2196e924a7b1c1b37155e67029de854059d709652fdf70ea577a10461c24419f7bd04f1724b6cccea1104857f6b69f98773409ab60a9051db2aa7c58d2e6b80

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
89KB

MD5
a4cb548819eb3b12c447be2625efc98e

SHA1
991909ff3ed1b39957add419781e00a1a4f4ac8a

SHA256
37569397390d47c0cea2c42afffaa88c2219458e42a34e6d5726c1c288484452

SHA512
8ebcf11760b9f4ca8e9bfe4188fe3ba6bd0f606ffb78313fcf35c2fdbd3909e2bb9b98fdf0236878ca6a578844e0728bd3822d414f4634239f5527dbe8f72e70

Download Submit
C:\Windows\SysWOW64\Cjpckf32.exe

Filesize
89KB

MD5
8fe077228345b6391faa9ee76358401b

SHA1
4f9ababdfab46493cf16c95789dd6443de607eef

SHA256
80b51993e129df19c57d5da8b1e917b087a3c92bff3947f9272892f4f0f65cb7

SHA512
a3a96dcab79f2c852a07da406ed605c4e0e1116218f8e9fa0dd40e6c984d33aed73acacc2e76cfd7bcc28ba2c8d7cb8c4425d8fc926c279122ed404235afbf62

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
89KB

MD5
6994b0d2da33bc61149d31e5a2c7416a

SHA1
d392d42e214091a3a0054c65f250a6068f3e722f

SHA256
8dad57584493e91ebe796825b4bab40eb2de58107eadf8d001811973bc9dac82

SHA512
8cc0c370ba0c7df5f3d69f2f936e9d0ef3c1f2d07c9c454a8f5a40c706ecb755a1bef849a88aa2aa839f9b0917037ec7926ca911fc964f1ef3543476c43f01fe

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
89KB

MD5
3ea2ec8521d8d3d25682aee82f26e842

SHA1
0bd5c4c7864ce20c73da76dc1b594858d8a6d111

SHA256
8e8160bce7b33be8e1156080537197316233ed69bd114b4b86737f650c3f8047

SHA512
415856341fe3db8a926138420a651441174a93d644da2f1fbbd92c373b0516a8a44907855715684f9101098a8078c518bf0d8d75cad3afda92b3827fd0d585cb

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
89KB

MD5
e13b9a58496e03305903e944987b0508

SHA1
eae8c2b8bf6f782f3fc776f00b087a715505fec5

SHA256
29c5de3e984116cb87bebf0c742dce5dff0d1ce40e1471a6034c5307da65d8b3

SHA512
e9a9c229b0cd930bea71040d6ceacc12164568d2759add20b9af365a94252807e5154b9f8c2d5caf8c2aafd6654a849a9060501ac245a6f7e292382e7e7b5267

Download Submit
C:\Windows\SysWOW64\Ljbncc32.dll

Filesize
7KB

MD5
c35aa6816c154b5fbef6d1a490965f45

SHA1
1015cc9ad9bf0f8ddc7a290276a4eb303204d5cf

SHA256
fc1dbe5baa393a6a6e470ce5681bc2605c645ec2186d1d8f572515f96018461a

SHA512
9e652a62f94c92639203acb1c3f8b075be514e40541b63fb473651e7d9b5751b6c3060f9b4b35188c2b7b4141ddaf9276a108d7502ce4e3f1e09dd34c8cec950

Download Submit
memory/404-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-200-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/816-126-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/948-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1068-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1072-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1240-216-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1272-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-208-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1304-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1328-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-315-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1564-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1596-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1636-183-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-419-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1716-433-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1812-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1896-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2116-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-310-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2236-87-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2264-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2400-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2412-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2420-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2736-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2832-435-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2900-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3000-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3148-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3156-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3380-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3400-103-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3448-439-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3488-442-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-441-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3508-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3648-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3648-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3660-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3672-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3708-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3728-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3856-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3908-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-95-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3960-127-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4004-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4048-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4180-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4228-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4516-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4536-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4600-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-440-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4860-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-297-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5016-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads