ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe
Size

60KB
MD5

240952556ce4ff4ff77ea0fbc9548d7d
SHA1

4167d22818b2fa341ef1a6f08da693d00adea913
SHA256

ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78
SHA512

751e1842ee7f66d8e4e1c70b04c3020f749e57d7f88b9f51e2a2f7137a221339fc13af1bc4d0c434b4211dc6efcee939f24464345d0a4108006832b0484ca387
SSDEEP

768:DoESxtxkzgwkgxLnQp4K8PnSqGw/B6Om9Va0wGLJeLfIn2a/A/1H5xB+XdnhMl/W:DtSbggwxxLnQuaLwZBDMn+bB86l1rs

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe

Executes dropped EXE 64 IoCs

pid	Process
1120	Qmmnjfnl.exe
4852	Qcgffqei.exe
5072	Qgcbgo32.exe
4868	Anmjcieo.exe
1096	Adgbpc32.exe
1960	Ageolo32.exe
1248	Ajckij32.exe
636	Ambgef32.exe
3256	Aeiofcji.exe
412	Ajfhnjhq.exe
736	Aqppkd32.exe
3328	Agjhgngj.exe
3900	Ajhddjfn.exe
936	Amgapeea.exe
3980	Aglemn32.exe
2788	Ajkaii32.exe
3640	Accfbokl.exe
3520	Bjmnoi32.exe
396	Bagflcje.exe
1172	Bganhm32.exe
2376	Bnkgeg32.exe
3704	Baicac32.exe
2060	Beeoaapl.exe
4816	Bffkij32.exe
3276	Bmpcfdmg.exe
4372	Balpgb32.exe
3224	Bfhhoi32.exe
2600	Bnpppgdj.exe
2052	Beihma32.exe
336	Bhhdil32.exe
4092	Bjfaeh32.exe
1984	Bapiabak.exe
4104	Bcoenmao.exe
4608	Cfmajipb.exe
624	Cmgjgcgo.exe
4028	Cdabcm32.exe
3860	Cfpnph32.exe
1192	Cnffqf32.exe
1244	Ceqnmpfo.exe
2580	Cfbkeh32.exe
1252	Cnicfe32.exe
4296	Cmlcbbcj.exe
840	Ceckcp32.exe
2436	Cjpckf32.exe
4532	Cmnpgb32.exe
4384	Ceehho32.exe
4948	Chcddk32.exe
1684	Cnnlaehj.exe
1964	Calhnpgn.exe
3152	Ddjejl32.exe
1504	Djdmffnn.exe
708	Dmcibama.exe
404	Ddmaok32.exe
4060	Dhhnpjmh.exe
3088	Djgjlelk.exe
2372	Daqbip32.exe
1884	Delnin32.exe
1636	Dfnjafap.exe
2676	Dkifae32.exe
3488	Dmgbnq32.exe
4112	Daconoae.exe
3188	Deokon32.exe
4672	Dhmgki32.exe
2172	Dfpgffpm.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Daconoae.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Djdmffnn.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Bganhm32.exe	Bagflcje.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Poahbe32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Qmmnjfnl.exe	ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bnkgeg32.exe	Bganhm32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Baacma32.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1408	3340	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbnaa32.dll"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1120	3012	ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe	84
PID 3012 wrote to memory of 1120	3012	ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe	84
PID 3012 wrote to memory of 1120	3012	ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe	84
PID 1120 wrote to memory of 4852	1120	Qmmnjfnl.exe	85
PID 1120 wrote to memory of 4852	1120	Qmmnjfnl.exe	85
PID 1120 wrote to memory of 4852	1120	Qmmnjfnl.exe	85
PID 4852 wrote to memory of 5072	4852	Qcgffqei.exe	86
PID 4852 wrote to memory of 5072	4852	Qcgffqei.exe	86
PID 4852 wrote to memory of 5072	4852	Qcgffqei.exe	86
PID 5072 wrote to memory of 4868	5072	Qgcbgo32.exe	87
PID 5072 wrote to memory of 4868	5072	Qgcbgo32.exe	87
PID 5072 wrote to memory of 4868	5072	Qgcbgo32.exe	87
PID 4868 wrote to memory of 1096	4868	Anmjcieo.exe	88
PID 4868 wrote to memory of 1096	4868	Anmjcieo.exe	88
PID 4868 wrote to memory of 1096	4868	Anmjcieo.exe	88
PID 1096 wrote to memory of 1960	1096	Adgbpc32.exe	89
PID 1096 wrote to memory of 1960	1096	Adgbpc32.exe	89
PID 1096 wrote to memory of 1960	1096	Adgbpc32.exe	89
PID 1960 wrote to memory of 1248	1960	Ageolo32.exe	90
PID 1960 wrote to memory of 1248	1960	Ageolo32.exe	90
PID 1960 wrote to memory of 1248	1960	Ageolo32.exe	90
PID 1248 wrote to memory of 636	1248	Ajckij32.exe	91
PID 1248 wrote to memory of 636	1248	Ajckij32.exe	91
PID 1248 wrote to memory of 636	1248	Ajckij32.exe	91
PID 636 wrote to memory of 3256	636	Ambgef32.exe	92
PID 636 wrote to memory of 3256	636	Ambgef32.exe	92
PID 636 wrote to memory of 3256	636	Ambgef32.exe	92
PID 3256 wrote to memory of 412	3256	Aeiofcji.exe	93
PID 3256 wrote to memory of 412	3256	Aeiofcji.exe	93
PID 3256 wrote to memory of 412	3256	Aeiofcji.exe	93
PID 412 wrote to memory of 736	412	Ajfhnjhq.exe	94
PID 412 wrote to memory of 736	412	Ajfhnjhq.exe	94
PID 412 wrote to memory of 736	412	Ajfhnjhq.exe	94
PID 736 wrote to memory of 3328	736	Aqppkd32.exe	95
PID 736 wrote to memory of 3328	736	Aqppkd32.exe	95
PID 736 wrote to memory of 3328	736	Aqppkd32.exe	95
PID 3328 wrote to memory of 3900	3328	Agjhgngj.exe	97
PID 3328 wrote to memory of 3900	3328	Agjhgngj.exe	97
PID 3328 wrote to memory of 3900	3328	Agjhgngj.exe	97
PID 3900 wrote to memory of 936	3900	Ajhddjfn.exe	98
PID 3900 wrote to memory of 936	3900	Ajhddjfn.exe	98
PID 3900 wrote to memory of 936	3900	Ajhddjfn.exe	98
PID 936 wrote to memory of 3980	936	Amgapeea.exe	99
PID 936 wrote to memory of 3980	936	Amgapeea.exe	99
PID 936 wrote to memory of 3980	936	Amgapeea.exe	99
PID 3980 wrote to memory of 2788	3980	Aglemn32.exe	100
PID 3980 wrote to memory of 2788	3980	Aglemn32.exe	100
PID 3980 wrote to memory of 2788	3980	Aglemn32.exe	100
PID 2788 wrote to memory of 3640	2788	Ajkaii32.exe	102
PID 2788 wrote to memory of 3640	2788	Ajkaii32.exe	102
PID 2788 wrote to memory of 3640	2788	Ajkaii32.exe	102
PID 3640 wrote to memory of 3520	3640	Accfbokl.exe	103
PID 3640 wrote to memory of 3520	3640	Accfbokl.exe	103
PID 3640 wrote to memory of 3520	3640	Accfbokl.exe	103
PID 3520 wrote to memory of 396	3520	Bjmnoi32.exe	104
PID 3520 wrote to memory of 396	3520	Bjmnoi32.exe	104
PID 3520 wrote to memory of 396	3520	Bjmnoi32.exe	104
PID 396 wrote to memory of 1172	396	Bagflcje.exe	106
PID 396 wrote to memory of 1172	396	Bagflcje.exe	106
PID 396 wrote to memory of 1172	396	Bagflcje.exe	106
PID 1172 wrote to memory of 2376	1172	Bganhm32.exe	107
PID 1172 wrote to memory of 2376	1172	Bganhm32.exe	107
PID 1172 wrote to memory of 2376	1172	Bganhm32.exe	107
PID 2376 wrote to memory of 3704	2376	Bnkgeg32.exe	108

C:\Users\Admin\AppData\Local\Temp\ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe
"C:\Users\Admin\AppData\Local\Temp\ee5455ba0dc5b5560d115b46c746da849058127c4a325e80b88ed0f6cafdfc78.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1120
- - C:\Windows\SysWOW64\Qcgffqei.exe
    C:\Windows\system32\Qcgffqei.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\SysWOW64\Qgcbgo32.exe
      C:\Windows\system32\Qgcbgo32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3256
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:736
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:396
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3704
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2060
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4816
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3276
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:336
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4092
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1192
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2580
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1252
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4384
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        48⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3152
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:708
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2676
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3488
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3188
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4672
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        71⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        72⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 396
        73⤵
        Program crash
        
        PID:1408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3340 -ip 3340
1⤵
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
60KB

MD5
3a36c9e6043f802deaa7b98857e7bcda

SHA1
d90b20e325df4f8b57b437ab2fba7da67875a0f9

SHA256
73a57029abb690cd73d97900769625f01a526f0454aec24a16d44260bb9d8eaa

SHA512
88ef0068836c62f8c9ea2a526ae79d194302ab91304201e89ce6dd465e575864a01c7f4e42c27db5938ed764f91ac3674932c66a50db9f9ae99410c6be2d0ff9

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
60KB

MD5
df3d39dea74d32b4a56170fd4fb0c48d

SHA1
44c9cba1052be14194e1fc07e357aa66a280ebf1

SHA256
ed5a41a08dfeeb131d2985db421ce0bde764ea2ef2e26be436cabff9a3cfc322

SHA512
ecfdbcbc7995124d60c10831c7181437553b3f0a6f1fc63067fe77b4d09778b65cee27acf486adf0e4ecec96de581290506ee5e628143d7d718743fc442ada98

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
60KB

MD5
d5d6fa57d27251244489801a181741e5

SHA1
6e7397a944a98f8efd056c7184742df76eee70eb

SHA256
068a5717d8b904f1e9a96785af534e13c7bca9716d7088c7321b22d45a6c6b9d

SHA512
570054977180f7b3de9784096339b3189298990cf99b856614c0c0042bb5ec92bc6ee01c24dfb89f83035ca3cc64e0246417d7a39d83ca531b823e47f47d64c0

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
60KB

MD5
f84bde5d5d6f3c8983c23994cb30f4da

SHA1
e9559d33ec4c7b43c7e29e2400ea923857e65f5a

SHA256
e11af521189797f636b09d97a8ae9fb6792e156ea53eb375f3f087633eaa5f2f

SHA512
25d4fb6c4dfc28b7e351e7ec5b78257d3c9fdad35374eaa062f858ea93703a7f1577f9d2aabe5a32a86850bc590740074f3ac19a12f0a22c48db1b760bd4bed7

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
60KB

MD5
f651488ab2b56697ac0bb0e15530bd28

SHA1
390e68856767e4bcd54354374c10ff671979863d

SHA256
6e320104eafecae32a8516f7e116b0efd3cf8dd2bc1cec37a052cfc0176e19fb

SHA512
15d53bacc79fa8add8745aa7cff52067c4808fb1f4c1e29246cd8f02cbfc7496e1f297d99e43a71e246222df24f6b1236d98a455a27e1813d09f12c48e794d8d

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
60KB

MD5
3e92bc4bb2096d093066e3d2fde3edcc

SHA1
8124103d8a9002118988f5390eec0f4c16835a6c

SHA256
074999b1c87382cc217355e75581c84f7bf0de847aae0b0b0a10d80ca9b0bda4

SHA512
3807f9a3477eb32e95b89e35ea290328c1e48bbad7844147d370c33a9ad58cc799dba5561930f05873cb29a04dfdbc5e7a60ef9533b4e8a5b3339f9e66df7251

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
60KB

MD5
8548597e4463845130bbd02409f23ae9

SHA1
a165f32812f25f028cb2231a724ba51d80c4027a

SHA256
aad49ac3fa535cdee1878db3b8cf08e3e37acb98005441dd9cd36dee60fddbcc

SHA512
a4d274b02b5258dc3d5ffa6362c4b1783b208820e7379875a8403172e2f80ca207cda0646fa70fa90c7205b84e6cfffc9ced5b6715aedd1fb52b5bac0aea1a1c

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
60KB

MD5
0280e57932c0abd2a40a914e59f3f1f3

SHA1
4ccd061d140113499417fe3f6b2dc1d895dc946b

SHA256
7f7ed3d3ac9b968462449950b49ac81d3be6590a89c8e0e92c4de87386a863f5

SHA512
f433e60701674635ffe85d952410d952d10e6986e6602e2896f6810515bf93b9e8503318ffd839827208c3b3fece81487cf2237c59323d75b5427e5002c80ec4

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
60KB

MD5
26a456edd279d3943705dfd2f8bcd133

SHA1
60e1d774fefd5e92b9f4352413ed160fa4a26767

SHA256
6e9e0791b69d0244efbd172e275a33b86427a91c52c2abc9434fc6417f433bf3

SHA512
e32b7e71c4bbceefa93273738632fe7bfaa709795fe8e90373cca16b7a8edd9c9dc2034116707805fdf5195d7ce1e87e8e95a4499b2b61c179694c86d92583f3

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
60KB

MD5
788dde03fe395f99f74f5af1d5fc0621

SHA1
890ee1502e9f8c7479111bd37e0a4a552a5d168e

SHA256
0354d889e570de444ebf060a7430f68df17819b94430f206af3cbba8acbd76dd

SHA512
8b961a8ff29ded9205f307ed370f7b895c8d554db80e34f4a3595580aa04fe7e5d6226cb7ac62f0527d68e0230ada660c6e64a8b62a2ed7da2493cb769d6bddc

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
60KB

MD5
5dc5beff9725f68f2f7011215491fb09

SHA1
ec1a462eb0aa9a568a2b0bf0b8f0c50dbacf80ed

SHA256
c8fa5dc08a5e1c504558e6cc121a7023eccf290ed9cc81e31500de3a290bd27a

SHA512
e6a3a13f07e417dc516d98cd22f82b2d4700fa81184442947760d2994e1970bf4c4be1475b9e59cc4db86beaca5ba0e3a72faf709fa79d28dee764a48334ee3c

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
60KB

MD5
7e1393360cfcc0e2d55a93d95fc911b0

SHA1
299ef4d86a9993daf8564c319dd6ebca64dadeef

SHA256
d4443600e015ff30490e83f43647881cad974c6b9addda6b35202a7456132b4a

SHA512
8077f0423bd2c91ce1c97c3e981c75468e480307ae68000d67120f6f17be3a52f0f2c0cf88fdd5db1d4dfc957cb68530b9b4fc1c36bb6c0677a1e173c28f97d2

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
60KB

MD5
227554d74372ebd112c8a11931fdda07

SHA1
63139f25fd5966add3be021780ea812f1518558e

SHA256
b92a7f0e144c6502035cb1d09a9c96e3de8cf5d17c05037d1e26a322e9ffe0e2

SHA512
0e6dcde08604cfbbec78d79264617a40ba6dfccf64b28b32e58bd8711780073b001119ec07ae320950f91d4d5809903e168fb67a1fe4bbd1debd51338b2bfdb7

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
60KB

MD5
bb95631599308811c00228a480330344

SHA1
a3edfa505112fe8cf3edf4dffa606ee974c88ec0

SHA256
4cb222a2f875e8c56ce0e85144c1aa9a817cac48e932dc6e3667f8fed0a7126a

SHA512
b575684634cae441354b618b220ef011b2e3161703578440200feeb773f0c760ad5c850a63a13f8aebcafb1ce170c6052dc770bbdffed242664a6a324b1aa49d

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
60KB

MD5
f00d8391d90614c9d0ee179c9180ee1e

SHA1
509fa2be9cd7c99b1bc81b9cf2408c5a4d978edf

SHA256
3410463a739b0b4e42d12807370445e024805f6f6988cfe7a907abca86c3c7b1

SHA512
33077ccbbcd9a3dc8c95bb0a6e7b00fe5a5c1ed643d51ebba356939bb7338fc7075c0e35a13c851dabb0343777c495070f96918c3d9b98936255d5a0160e25f2

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
60KB

MD5
fdd268b4df103e567005a5fc025bc4a7

SHA1
13697481eeff3ac5f42169859b806cb44b26327a

SHA256
bb63a27e8025d74938166772cf976564f9376e347d3abb8224cae8956f7dc561

SHA512
dd743a6b7a609f6c0ff7733bcc36c74961dc6100d4482af51c71a89ad1f1381b14eb1ff70376344032cc8d52c675a904814112a4c25f546960c41393d8917586

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
60KB

MD5
aeafb117a35b175352d4f59e937a70df

SHA1
71469e4af7fa9bd7b19a273e77dcea79008a9e27

SHA256
0d78af8d17764475ef61cc4e9581c90ec5f99c7d417c3e66f22e3fa1b7625f7e

SHA512
5552a145622783168bcfb9e7a91698e85074f25e7add5cb6673aefbf263ccebcff93f192d0bbbf7b0a18f8b0ff15efd016be4ae98f8a90f05198cf5d14ca44be

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
60KB

MD5
2437b95c456213a95eebf232d0ea6710

SHA1
270069fe48d348e051eef2f24dafe140a1a555df

SHA256
6acb48c309850fe8641265731e003cbeaf564f501b04c3cb417657304b8ad444

SHA512
1b87dd253912fc17d6577ad344b13a2d84aabce0c8610ff8215f9fc13d3c76e4311eac403b9b7091c15bd28a13114a7f78c2838ab04e24bee8ad3c47376d9ce9

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
60KB

MD5
7904d163cc0703903ab51586c425d412

SHA1
d141d21517fbb1cb63a60cf968fdc7165903d87d

SHA256
b44e4e183011cab902f7636276c596d964b2991664792bf28483cc8b8d8097e1

SHA512
d646b72b16eca34c13176e358aadae4080cfff2d91e538a690925114644ae875fa7e450d1de3ea95a69c0a1178060eecd14616457f5a97333a6c2c11df69b3c0

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
60KB

MD5
d9993f009a750ffe23922ec4bae8bb71

SHA1
5f354308f7c46aee951e1ba47f243f0f4c1fbe22

SHA256
e3d528db4a40a1cc7aa63797eacd41eb9b81a990189f686c97732dc6409a11f4

SHA512
424fcbf44ce58d2f6f0de87640ab0b743e893ebbc8f060e11e68f21b1ed5c8fd05e2590821701654a0f5a989af22b8b6e8c93395cca5346be868c5cbe299276b

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
60KB

MD5
444a4d0d978fd3e4905dacbba17c9704

SHA1
ed09d3f78e465c9d04f80b3c125f9495dd8db7a5

SHA256
05745f40f632a5533a2d34ba7e2c363a157d318cd37dd3ad17997595c486534c

SHA512
d607b5cdb6b7bf6516f9931efbbaefb69ce1628d652b57d08a9b0ea59e35d71597b188f83ce6ad90d4a6ca3b6a8d2155bca6e164f80f3aa83498729cce338744

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
60KB

MD5
137625d8e98b77fc56596e472432ebc6

SHA1
bc4414ec929c105e69d07bc11fb6485db77ea3ba

SHA256
e9ba53d6650aee6efe60c2101e2e649f0a7eb2da9bf86bba1d342bfa666731fd

SHA512
8f28f823eeea5d0c3c6467ef5da5e06033baf1f436a405b2a05df7c2094fbebf106b7059dc7764b444d6918dbec3c51b516a10aa0985a15d521f61294313b60a

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
60KB

MD5
72fef35a9765c0b771f1d7c648e5efbc

SHA1
25107bbcca3adbd1d923d5bb41a3a7d627fe1907

SHA256
ab24afe587bc14066e1e7ffff8821137b6100d4f6c2b4590d5f4c564b799aafc

SHA512
2e690d1d4ed38fb2624628dbc51bd59437e3183c1d01c37787d9f2d1655ebb442d54c242c0731bf568e95688f08b01b998f95a21ca340a34ede4a9b4f4952f5f

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
60KB

MD5
e8f0dd7125136c3dbe9bd8aa52c2074a

SHA1
7f8f849c7b42cd39c390223934df2aa36fcd3f23

SHA256
feaab224918770657711b14093a825f807e58a3b505750e20489c6ead1bf2498

SHA512
e90eb2df7f908281592b5c0906113310d82487552457eb83929197bb5ca4a1a9f75f927123ded52f2b729b9ea204ab050d009f504558411e7bb57dde5f2dc74e

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
60KB

MD5
1d78b4e616c1cb602df57124ed45cc7e

SHA1
6b6ec73df069dc1e2edc4fe5a4b0faf3cc030d88

SHA256
9355998b4adeb2ef1f82e3097650f4e87c58af39131f9f0cdf9cf9bd4a3b47c1

SHA512
c8ab687be5ecc83c5616d795efc5dd1a916e9cef7cc7209e35ef19564d31ca5a9525fd696aea0d076db41ecdafb36d22d8d1dea38b19e686c9c9959bf2e8c2fa

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
60KB

MD5
2ebaef626d1832a6f103f4a6ad2d4546

SHA1
6be3abffc0aea9cbad5ede83d460dd1bba100954

SHA256
3a098fa210f19858de5a54dc54052b6daae225e271fb0488c4055566fada5f7f

SHA512
baa0ada51413b9261973b35d8710ffa184ecb84df4ed2c0a5fccc1b1752fd0e77c0a629ede0adb590a08620178d6431595be23744d478640b643970aec9e4538

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
60KB

MD5
024480221d748337a95a814aa9b41019

SHA1
f6de3e738528123f7e6dfc965cde8b3aa7858198

SHA256
e6545a1b04eb6afc5da5a021fedd8ef73ae1fa31f1efe8c18eb21f7daf858892

SHA512
3e8247066c7a1ebaea7b11184f2cec0c7d290407c0832586fc6cfd89823e4acbdbeb9ae17e1d9b644f941c683bcf0e6b47040940dea97632b7fcee574533199d

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
60KB

MD5
a5f557da5a960e09eec5acfd4be33c35

SHA1
60c55e158759ffdecc4c6bfe1ff0bd260afa4691

SHA256
3891faa75af14597192c2e723847897480a6b927c863c2a37f560219e9d9f8eb

SHA512
b97f6b1331f2ef3bd60266235496a4345c5aa2965333a6affdc8b0366f331f614d0175193febb8252b49d9ff2a46885316b25765672267c5f7538ac565d4313a

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
60KB

MD5
3597f6db0f22fe136e7a08be60106076

SHA1
ffa39f5a6a3950a3e8a79d8b29f04bd8501d3088

SHA256
d49261750efd4c9e79cd1b863abd2f122387b2bc6e498c7bb6a2d2eeea8cac88

SHA512
26b50c86a4e662a15bbca59ae81176c45e0cee497206ee4c00753963593218683068651e227845aa642de18e2fb0cf18fc1e38736e762f8e5fe10ba25ddb16b8

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
60KB

MD5
0b452cfbeda460bff3003a06ad269304

SHA1
a5908f13ba0893ef17d8e4cebcddf1274236465a

SHA256
bb9bf79ea6bd2d35737a6c4568bf6f943c0332509926a999e7d5c715c461d884

SHA512
fc599f54117186e3a98d646c9babb8a5e66452952a780d0f68be1344b203173d931132ccbdec49be71f00a5f75a15bd8e2e8b24fc0be0618814f76e94b99a710

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
60KB

MD5
1535d1ed3dc76958e7fcf7eb72535c05

SHA1
e04501c1dbd3be3efb2c60bdc0cc50b1296bea0a

SHA256
b21d3ebffbc3ac41e1ac5456744f82ec7c77f024b42e39e8cb2b73813911ae4d

SHA512
17fb44851f0d7ea76927949fe32e1808be6c14bd2abf5f93ced760b2cc2d3508c23a8032e9ffbec70a3cb82d2f3b5cc42dcca819b4d6bf542f6cdfb46e71683a

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
60KB

MD5
a5faee1e5fdd0fccc3ceaaf4c20d3c25

SHA1
1b3ab3e02e30f9ff76ed91c90a87223dccbcbe63

SHA256
43645925058c754fc9e3859f31afecd2ea1539ed88c0c43a47295e985afe8d52

SHA512
f160626d61487c5241dcdcdeeba36b9e3c172cb4a1f53d383bea39fc21467dab40a21d448768860dabac06a92a15f2b4ff4946ea7321ab6265bc7918843fbcd1

Download Submit
memory/336-334-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/336-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/336-620-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/396-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/412-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/412-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-298-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/636-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/636-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/708-412-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/736-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/840-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/936-117-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/936-206-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1096-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1120-8-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1120-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1192-383-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-601-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1244-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1248-143-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-404-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1252-337-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1504-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1684-384-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1884-444-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1960-49-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1960-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1964-582-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1984-277-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-252-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2060-198-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2376-267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-424-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-357-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-397-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-317-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2600-242-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2788-223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-1-0x0000000000434000-0x0000000000435000-memory.dmp

Filesize
4KB

Download
memory/3012-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-432-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-398-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-74-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3256-161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-297-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-99-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3328-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-153-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-232-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3704-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3704-188-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3860-376-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3860-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3900-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3900-108-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3980-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3980-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-369-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4060-425-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-336-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4092-269-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-284-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4104-350-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-344-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4296-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4372-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-370-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4384-438-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4532-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4608-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4852-98-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4852-16-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4868-116-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4948-377-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5072-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5072-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads