njrat | 4275a0ded940b8c34bd7d1f6cb70d23dc154c2939eabe28654b0d61ff3cebe6c

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c142fedb018ad6342a0630ca930d26d0N.exe
Size

337KB
MD5

c142fedb018ad6342a0630ca930d26d0
SHA1

59ebdd3b99bb25ca3e6aec5d2279e184e0cacd0c
SHA256

4275a0ded940b8c34bd7d1f6cb70d23dc154c2939eabe28654b0d61ff3cebe6c
SHA512

06720ca75d6a14447e3939ee28f1241920de8bc0bb69d2f7c0fcb4b7922d5f07de56177e163c568846f6cec9c456721ff5937e792403bbbd2344452aff8cd8a2
SSDEEP

3072:n81nQa98FlAUiWtB67gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:n+Qa9yAUiWtB671+fIyG5jZkCwi8r

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	c142fedb018ad6342a0630ca930d26d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 64 IoCs

pid	Process
4632	Agglboim.exe
2680	Amddjegd.exe
4904	Aqppkd32.exe
3480	Amgapeea.exe
3680	Ajkaii32.exe
1172	Aepefb32.exe
340	Agoabn32.exe
1292	Bfabnjjp.exe
2856	Bnhjohkb.exe
4912	Bmkjkd32.exe
1748	Bebblb32.exe
3708	Bcebhoii.exe
4604	Bfdodjhm.exe
3884	Bjokdipf.exe
2008	Bmngqdpj.exe
2820	Baicac32.exe
5068	Bchomn32.exe
3448	Bffkij32.exe
1072	Bjagjhnc.exe
1300	Bmpcfdmg.exe
1132	Beglgani.exe
1348	Bgehcmmm.exe
4836	Bfhhoi32.exe
4120	Bnpppgdj.exe
4652	Bmbplc32.exe
636	Beihma32.exe
4572	Bclhhnca.exe
4204	Bhhdil32.exe
4880	Bfkedibe.exe
4876	Bnbmefbg.exe
4000	Belebq32.exe
428	Bcoenmao.exe
1144	Cfmajipb.exe
1012	Cjinkg32.exe
2280	Cndikf32.exe
2268	Cabfga32.exe
3048	Cenahpha.exe
2176	Chmndlge.exe
3144	Cfpnph32.exe
4380	Cnffqf32.exe
3284	Cmiflbel.exe
2480	Ceqnmpfo.exe
2576	Chokikeb.exe
1168	Cfbkeh32.exe
3844	Cnicfe32.exe
1396	Cmlcbbcj.exe
3960	Ceckcp32.exe
2972	Cdfkolkf.exe
224	Cfdhkhjj.exe
4532	Cjpckf32.exe
768	Cmnpgb32.exe
4940	Cajlhqjp.exe
4792	Cdhhdlid.exe
2656	Chcddk32.exe
4148	Cjbpaf32.exe
4184	Cmqmma32.exe
2136	Cegdnopg.exe
4400	Dhfajjoj.exe
4908	Djdmffnn.exe
2312	Dmcibama.exe
5128	Danecp32.exe
5168	Ddmaok32.exe
5208	Dfknkg32.exe
5248	Djgjlelk.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	c142fedb018ad6342a0630ca930d26d0N.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	c142fedb018ad6342a0630ca930d26d0N.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	c142fedb018ad6342a0630ca930d26d0N.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bfhhoi32.exe	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5992	5892	WerFault.exe	164

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c142fedb018ad6342a0630ca930d26d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	c142fedb018ad6342a0630ca930d26d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	c142fedb018ad6342a0630ca930d26d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jijjfldq.dll"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	c142fedb018ad6342a0630ca930d26d0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 4632	2992	c142fedb018ad6342a0630ca930d26d0N.exe	82
PID 2992 wrote to memory of 4632	2992	c142fedb018ad6342a0630ca930d26d0N.exe	82
PID 2992 wrote to memory of 4632	2992	c142fedb018ad6342a0630ca930d26d0N.exe	82
PID 4632 wrote to memory of 2680	4632	Agglboim.exe	83
PID 4632 wrote to memory of 2680	4632	Agglboim.exe	83
PID 4632 wrote to memory of 2680	4632	Agglboim.exe	83
PID 2680 wrote to memory of 4904	2680	Amddjegd.exe	84
PID 2680 wrote to memory of 4904	2680	Amddjegd.exe	84
PID 2680 wrote to memory of 4904	2680	Amddjegd.exe	84
PID 4904 wrote to memory of 3480	4904	Aqppkd32.exe	85
PID 4904 wrote to memory of 3480	4904	Aqppkd32.exe	85
PID 4904 wrote to memory of 3480	4904	Aqppkd32.exe	85
PID 3480 wrote to memory of 3680	3480	Amgapeea.exe	87
PID 3480 wrote to memory of 3680	3480	Amgapeea.exe	87
PID 3480 wrote to memory of 3680	3480	Amgapeea.exe	87
PID 3680 wrote to memory of 1172	3680	Ajkaii32.exe	88
PID 3680 wrote to memory of 1172	3680	Ajkaii32.exe	88
PID 3680 wrote to memory of 1172	3680	Ajkaii32.exe	88
PID 1172 wrote to memory of 340	1172	Aepefb32.exe	90
PID 1172 wrote to memory of 340	1172	Aepefb32.exe	90
PID 1172 wrote to memory of 340	1172	Aepefb32.exe	90
PID 340 wrote to memory of 1292	340	Agoabn32.exe	91
PID 340 wrote to memory of 1292	340	Agoabn32.exe	91
PID 340 wrote to memory of 1292	340	Agoabn32.exe	91
PID 1292 wrote to memory of 2856	1292	Bfabnjjp.exe	92
PID 1292 wrote to memory of 2856	1292	Bfabnjjp.exe	92
PID 1292 wrote to memory of 2856	1292	Bfabnjjp.exe	92
PID 2856 wrote to memory of 4912	2856	Bnhjohkb.exe	93
PID 2856 wrote to memory of 4912	2856	Bnhjohkb.exe	93
PID 2856 wrote to memory of 4912	2856	Bnhjohkb.exe	93
PID 4912 wrote to memory of 1748	4912	Bmkjkd32.exe	94
PID 4912 wrote to memory of 1748	4912	Bmkjkd32.exe	94
PID 4912 wrote to memory of 1748	4912	Bmkjkd32.exe	94
PID 1748 wrote to memory of 3708	1748	Bebblb32.exe	95
PID 1748 wrote to memory of 3708	1748	Bebblb32.exe	95
PID 1748 wrote to memory of 3708	1748	Bebblb32.exe	95
PID 3708 wrote to memory of 4604	3708	Bcebhoii.exe	96
PID 3708 wrote to memory of 4604	3708	Bcebhoii.exe	96
PID 3708 wrote to memory of 4604	3708	Bcebhoii.exe	96
PID 4604 wrote to memory of 3884	4604	Bfdodjhm.exe	97
PID 4604 wrote to memory of 3884	4604	Bfdodjhm.exe	97
PID 4604 wrote to memory of 3884	4604	Bfdodjhm.exe	97
PID 3884 wrote to memory of 2008	3884	Bjokdipf.exe	98
PID 3884 wrote to memory of 2008	3884	Bjokdipf.exe	98
PID 3884 wrote to memory of 2008	3884	Bjokdipf.exe	98
PID 2008 wrote to memory of 2820	2008	Bmngqdpj.exe	99
PID 2008 wrote to memory of 2820	2008	Bmngqdpj.exe	99
PID 2008 wrote to memory of 2820	2008	Bmngqdpj.exe	99
PID 2820 wrote to memory of 5068	2820	Baicac32.exe	100
PID 2820 wrote to memory of 5068	2820	Baicac32.exe	100
PID 2820 wrote to memory of 5068	2820	Baicac32.exe	100
PID 5068 wrote to memory of 3448	5068	Bchomn32.exe	101
PID 5068 wrote to memory of 3448	5068	Bchomn32.exe	101
PID 5068 wrote to memory of 3448	5068	Bchomn32.exe	101
PID 3448 wrote to memory of 1072	3448	Bffkij32.exe	102
PID 3448 wrote to memory of 1072	3448	Bffkij32.exe	102
PID 3448 wrote to memory of 1072	3448	Bffkij32.exe	102
PID 1072 wrote to memory of 1300	1072	Bjagjhnc.exe	103
PID 1072 wrote to memory of 1300	1072	Bjagjhnc.exe	103
PID 1072 wrote to memory of 1300	1072	Bjagjhnc.exe	103
PID 1300 wrote to memory of 1132	1300	Bmpcfdmg.exe	104
PID 1300 wrote to memory of 1132	1300	Bmpcfdmg.exe	104
PID 1300 wrote to memory of 1132	1300	Bmpcfdmg.exe	104
PID 1132 wrote to memory of 1348	1132	Beglgani.exe	105

C:\Users\Admin\AppData\Local\Temp\c142fedb018ad6342a0630ca930d26d0N.exe
"C:\Users\Admin\AppData\Local\Temp\c142fedb018ad6342a0630ca930d26d0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\Agglboim.exe
  C:\Windows\system32\Agglboim.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\SysWOW64\Amddjegd.exe
    C:\Windows\system32\Amddjegd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\Aqppkd32.exe
      C:\Windows\system32\Aqppkd32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
      - C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3680
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3884
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1348
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4652
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        27⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4572
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        32⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4000
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:428
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1012
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3284
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2480
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3844
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4184
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2136
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4400
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5128
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5168
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5208
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        67⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5368
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5448
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5488
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5528
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        74⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5568
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5608
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5648
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5728
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5768
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5808
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        81⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5852
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        82⤵
        
        PID:5892
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 396
        83⤵
        Program crash
        
        PID:5992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5892 -ip 5892
1⤵
PID:5964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
337KB

MD5
6415bdae98d2e0cb6c1bea8517e5762e

SHA1
43cced7fd47a8571d2f8cd06a557a76e9c59f6c5

SHA256
3a2161f3b912f752a5b81b5ebb03e15c09e5ead992a791f9f5a6d03f7b76d9cb

SHA512
178243649790d04195290994b2c37762b0cd12d5c085bf0c9870404e2e420f4889b9b8d365f8603881180e703e7244bb77dda2c97af8d9dce7a7f2b0256a2764

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
337KB

MD5
25fc2f4fd5fb885549569546fd304a1d

SHA1
e862e5bd05ad3b71a9f466796cfb41da041a7d5a

SHA256
b92b0a42f2c4534fbec77325fe2bd7f478b7cd32c9e1bd4475e62685f25c39c8

SHA512
aa5d358b7ba73bfd68d4df2426b1bfa0f1cfa0068158a749a08039c40b03ff7b2bde342791ce25d557eac8563a73ff4f0ebb4885d0ae5c6221e9afda28f8906f

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
337KB

MD5
1ec0044b5c757d644cc1fed9640e0762

SHA1
8b36815307535feed583fb52c744decf8749cde6

SHA256
6dbcc3d5f516368c758a124fc486030bcd2310a24b5c6a3915a33f835850ce33

SHA512
6582be0e111c7f857b770a0d98e54c03adb72871953e6758b255391d92df46644b4985bbfa83a384d84bd17a26789cfcd132f141e7b5f20c8caa60ab5a5ba4db

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
337KB

MD5
f85bdb8c9f99061afd7cccc7417458cd

SHA1
2978a2a2662adb55937cb67772e3e5fc0e8d868f

SHA256
803c4c68e4db3c3b0fcf079dbcda68a8a1697ae51157cabfdf1e797d2208fab5

SHA512
4d246b7db5edb13004629469cf93bf5962d11cfa2bc8b64ae7d378ed4e924fcf0b9e4744dd8c7bb50796757018892cb1a79f657a174ec9c8ae3f0ed3da44e13d

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
337KB

MD5
98a304f86387ce067122167d54df346b

SHA1
006098a9c3b626d5a13656f1c1124f367b59a833

SHA256
a47ce15c7e18269a03421d0d0f4abd0b5a33ef854c02198a34e3b831ac60a4a1

SHA512
d85c43050d7bf60f4cb2f306738a67d6fdb6526500fc96642b3d31161d4fd5ea2e9a01e28e12bab767c42690db774e8709fa4b0fdfdb99161db7c5eac147ea3b

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
337KB

MD5
24ae49cf0b0ab280b6ff496ae8ac2c60

SHA1
50a907e6f09ce6d5a25ec72ac1274a5f357670a8

SHA256
da9816f8c484b8316741f97ca55453f461a468db2288bcca8204f7cbab64ab6a

SHA512
4c30ef89bc810f9dc5202a9a92eb0db1380cb75ae603cbef79103cea4cc62d319db38c47492ca2e4e842739076f9b0b343947ac16cb3517af22783c2dd1e971f

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
337KB

MD5
b2bb4bd7462131ec9f2d7f1fc10ec6d7

SHA1
a4bd80a4d2a1b54d218b2056e0e6d0fc0ae7221a

SHA256
994e0fb69c8595e2056467bc8d299d02d3899c155b1720d07891177f1a185fba

SHA512
0710b7c9e81f62cae44279eec3ae8bccd50b8c705137e58e8193e659889a2e9901ba9af59bb46ba0a9e1a790e429aa655e18cadbe4fbef25db14f5939aecd380

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
337KB

MD5
b9fa5d00c58715ee967bdf0ba8ce5509

SHA1
1fbde60264f8880f994203afa55aed1aa8f43423

SHA256
ad86ed90047f133b6548fa7b59b0a12be0571cd61922614c44877c880e3be7f8

SHA512
b852544bf02e427c075ce30d270bf83d5fb947fd54cc7ae0e1d0bf3ee077742112fdb777e402c23cb49958fe87428ddf69d6edf53071411d5a76641e9c71f9c4

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
337KB

MD5
c7403b1b521f67492a28773deea07b7e

SHA1
834d72f4e458311224e2bfa37b0f8e92c2a0c8ac

SHA256
21644643f025d9b3f49fe5ebd4529256ba476b7beaccab26f6005f46d81a528c

SHA512
bd946ce4e6d753b1a14fd3c262dfe91bb89065cdb04501ced031c3c12382172d0fd65050b433400afb49c3b0d005b5387bbfe6b61caab4f0442c0fa89999c092

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
337KB

MD5
1a9bf9f04fab103d56040e5aac0201a9

SHA1
ca8a27e8b7cd73fccd92e68fab81ad916b31e24e

SHA256
14d3064708ec14bceba9b5a856f4b5c0e686076d3dd0d9ea1df2f40cd3b726f2

SHA512
1cf93b23080db3b298baa53bad665992b35f73e928f4014187f2479ecbf4d515dcb33105f7faf6fb125172bfa0fd0632a3e4107af897466021625e4e457d8227

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
337KB

MD5
a90dcb0ec82afef95bd1dc1e217e5f5c

SHA1
3c1e923ba931fcbf5d84cc425fb093ad7f450d62

SHA256
979859adcd26a4a15697c2c04c82a0bd5be5d8efe8778eeea374ead1e53abbec

SHA512
7bdbabb51834ecc2c363cc7256019ecbd786ed3c4f5aee7ba5a88526a52f2db3f556742fb397093994621209918c37e762dd968b48c66028a6ae42c5468c5c74

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
337KB

MD5
77ab09918aacd92a35f053b77339aaa6

SHA1
2db1af74d68f97ee1749693226255a8cc2ba4042

SHA256
82b3050b7d71020eaa59c2d43098137728de2b941a87aba7802ff5faec014879

SHA512
9fce84ceed46e289cdba14de9c783a84ef8babc7bc882b61065aaee3ba5bd1e4db7f193d5c28c8817af69238e12ca01261e1fc4f2d214e1279955ccb64c25f3c

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
337KB

MD5
068cbb23d52bc2197059236d61916e18

SHA1
49695172782b10fa19f0c552615a4a1edbb3d0f8

SHA256
b8ab3e4a43636c568391581e59af40c49a2857479edc8a6f3b28a71cce21d780

SHA512
67d92c4c5b4723f967f9fae28300a85c8a30140af9f76179cc1c9913b7bbae4a1edc748a1e4556f20c395ab658134b0c12d25861d512449b569ef3d2230f8f22

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
337KB

MD5
2192cc420e5d8cb5e96c03bff9c58bf0

SHA1
c90718441d8c07a10ff00e11a5f3dc4f9dbbf70b

SHA256
74bc613dfdc4923d5cb7f66f96918b1d5d019dbb82d5b17c2a6a499ff6aa3d50

SHA512
203b927af9c4edf965e904c75a7e63fe8913e7e222be1ea866c83e3f45a9489cf2fd181f2e27bfe6c5898d5790549a191f1df0639d06b2efb983ce61292026af

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
337KB

MD5
2a74cbf661e08ffcfa75078c8633d76f

SHA1
e8a17516107c893478f43595e252f574b5e74cc5

SHA256
94fc45d46e63785cd4b58924dfc12755e5c85a4f2b647b71bd27fae126f6eb06

SHA512
985ad5bd02b769ce50d1f76adc749fa4394799e6f0c263bc0b8b01d2584c5274af548085437d95a0a2ec4727913917f2ad53036c46316c9bd6f0fb17b27b6d1c

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
337KB

MD5
7bdb6f000559abd190ab7780935691c1

SHA1
020beefeb0cba243c5768e3997e5bfa08fb97091

SHA256
a7fd5af0d7abf45d01c17ff6f249a70a9ab8c59d020851fc789459c725c2926f

SHA512
fe394d5b5806b6d10fc3672b245b7adaf5bb6f00668a57249a2548fa9ea87f4580320ba8f82a665c5468b5852f5e2a10309fe667e231011b013997f011a0b14d

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
337KB

MD5
02725acf0b5d0fc6a98a9d37b01c37de

SHA1
cbdeaa5d826249ef553401836dd3eee937eaf56e

SHA256
34880af2cbc7120461f818dce3a9927651832d393bc597c5ab527394847fb50b

SHA512
0eb01df8e07d002e62cd9a1c949045e6573508941e76b35243747fcc5bcd38e97a2002c6c46c2bfce056ca656a59c3f8384f72ccbb858bbb407771767c7f1c00

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
337KB

MD5
a76461eb53989e74261f57dda65fe93b

SHA1
068c34b22a1a707d8508993ecd2b10ebfa1877a6

SHA256
48856285020a83ddb2e7a9481ed742f6683d791c1ef74689dd4d26c623a4f630

SHA512
bf0b6af64bd6b69516bb4e5a9e6c8c224fab10bb2d032e83aefd8880f17081aff42a007c8158a4d490b258dcba6498dc01afdc044c946b23ee1b248c70d71e91

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
337KB

MD5
135b24d72f5fdd67c7e8aa6006b46842

SHA1
bf8e286f15ab7354aeab0f61c827cb693dbae889

SHA256
cba14c79310b9a8422e7cd94e5f04e2cb2479f967e36db2c39886e8c6554c6c7

SHA512
734b59bb85fe1c9bfab3b265ea62c9383e2a09defeb0184cd0a635f1e4047b01d3e6955c289bb99867db153df943868e77668907daa885c388779625a6525a38

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
337KB

MD5
f7a9126a18ac5a97bba7170eef9f771c

SHA1
b1fe1302b415197dd5f473b1ef9546667e40133f

SHA256
d8475d6e891fa0a8e8dba2b9764e58e121e37fdd6f9bd79831bcc6be0c283b2a

SHA512
93bf7811ba9de28f0365d8a4a6469d5c735879fe4d049a26cf23b1076a7b1f905a9a71efe3e48e1142713566c40acfd23f7aed471354d6f609a46597aa0e263b

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
337KB

MD5
22dfa3f7b80608cc8cd86c32ae29176b

SHA1
a0fa8cdb7669f0b3ada47905811f175a89cdf550

SHA256
292a32feccb7546266fdab46bbce69437e1b7948ae60e6511ecdfe2bce87ebd6

SHA512
fe6b4a601ef2b0973becec7b66edbd23ab714a65301becc98e00a2480e10e5276c2e78774b4613a332dfc7d96e3b9977e3c8abb17fc610e4dc990ae59548de5e

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
337KB

MD5
812d18b8aaf777fbf6acaa529e71ba20

SHA1
0a18dc5d69bea95fedb77a074db35821449709e0

SHA256
88f576a5e5ef221711ba7df94ca9476c398624c941900aa48e5671b26b8d8d20

SHA512
b6460700125ac679cc623a1100b68ced3e987cb57c8fbc562183f6e7d66eca6fc1d9ea13fe7f942af83acac5fd77255a04d8845c2078517afa5d853ac6cdbe3d

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
337KB

MD5
a2458ec00fa987f5697eedb974828d74

SHA1
a4265b5ef3bd60206db3e752e85ac5ad2f0c9460

SHA256
8aec8431177b8bf6e2eaae2095f7a1bbf2f9eb9ee185307fa4f11e52bf44fc71

SHA512
c7851056b701258a895c8755e7565dd75fcb000c2fa37b6e0b4c7733cb09fd1a9379ce4359ca78bd0da7aef74a03bfc6872dea94439de4fb27d94b8a1470f275

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
337KB

MD5
28a012abe6b0a4e6e5bed3511a98e04d

SHA1
cce1ef42cf28395edb7536e6c96ed627f5ad2e49

SHA256
dbf97af225cb233038450b084e98702bafcd0284e740a0ad52a3ab10db658517

SHA512
2405685f31397437e5057b6a50ad4d8881a7ce46db1510afaf4a922b9d450b2f8270c989e644196106b6713b78e58f0d72efb8499e5c3904c21c79e836db08f0

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
337KB

MD5
f0d4bcda1e761bba1b8ba3718e3cb9dd

SHA1
2ef6acc5197f20d0d18a5482da9d752b77998e55

SHA256
9a8d32f1e928c59113f032dca0541337b4cc6dd2ebd842d9bb1a8f8c9c73b935

SHA512
a2bb98ca2a7abd9a0e529e980b187b0a03e2af92938c726883cac30c01ee6c668157cb57db5d79a0615535fa86d56679922ad3d8c8a3cee1427d4a25f1dc1339

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
337KB

MD5
63d7ffc9250279485c6b90746df1f010

SHA1
dcd96c00dd1b84f612c474fe5335f5cc0e9a5348

SHA256
f63f90ded9e2688f7a4bec2d5839b021660f0d5d94c8bc5b9a28eea02d46dd51

SHA512
66f7e82cad7dab704edb37e0663889ee77c6b5a8cf2ab4c467108acaa7fea8fdab177fa9e0118681e5654e12905ec41369822f18b106ec2ec8c50ff66fbebe67

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
337KB

MD5
0c5b2a9a567d91a20bddf2af2d6a76fe

SHA1
6463e7f1f2ec4cb52b61cb6fec92c635ae1cdf64

SHA256
670ee34031268de74063150f0e9fccc0d6f377b509535ff74cbdb0bfa83a352e

SHA512
39b41b5e2195077c48fe96c08119bfca2838af7aa7d3621aebdba1b0f6544e2e6edf6c0d497ddfcfad7ee1f8bb1fc8fa0496b191b9566beb78dad78ae27a28c7

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
337KB

MD5
e7927e0fbb2adfee3c209509e526b68f

SHA1
b5ca80faf6573ec153ccd1d2dbe10082a2ebe2be

SHA256
8f3cb79f4c15d53b70ce7494094fadc5a54fef4de0fd239d363fcacfde9d5bac

SHA512
1a3ce0a434cf0d9b9c47fb8a5e9f0bd2ba41c234de067a16876571fe3f3d5708ee42ff6202c5b57bf2e69098f4cd2586d36e6dee4978504a20ea0986f2bb6b6c

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
337KB

MD5
7843db74ca67d1bbca6941d4abbcba02

SHA1
e694c2907c28250df17f7cfb9f13117f9a6f1b8f

SHA256
772a8f61698335ec801c5bce766fc4a1919deeef53a886f35111399a4af2ed55

SHA512
d2b22583179a8fc87c214357d35cde7fa444707c470b90382470b406df3ab681ce87ee19418483a36e5d4e02744d622acc3bb2b26f118c1c0b510909b8dc5fab

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
337KB

MD5
6b68dc9da699860bd06375d23f0cccef

SHA1
2ff150b876b9b1a51ad330b81c4fbe6bb0c90c7e

SHA256
32d373d4e55bab6d0d349477b4c724a787e4410efcf453912bf4976c3f8435df

SHA512
6259c603465feeb5de43187f35d3b44813509bb647bdc3be6bf3c4279e1abf6d4529bd82ca66a55710011a050457c8f4da571cb99ee73d3bb50a82ede806ad98

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
337KB

MD5
e1b60f3af79fd4619cffe1ed497c91b1

SHA1
63fd4a826c7d6ffad5b16a388d3a513bf802ea81

SHA256
be7f311227570bbfb0d90b5968a3b84a0c772cc07274680f3bfa6abf1939e790

SHA512
e16a7e6286648bb012f6cde1da412da2bbf25ca6c22fd109883df86b71082ab4a7ba978b89e1dda2821bf15bd77801fd7e045f2e6c641c759385473021358241

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
337KB

MD5
1265c9c734fac9870b3d64256e79f4c3

SHA1
453fee5aefb02b89a5fbf664715457f9b5cd4607

SHA256
941cc66fbfed2ef1e4d17aa2f0adb1df549c0d33c2b56c1640461ee4bd42cf82

SHA512
38657671d45de5d08e5651bef5d71936249c19c62eea5c556d170cf9609e6bd4cfffa52c4929f209f6c1285baab59d108fd032fee1e1c5ed0dad4664b736bf4b

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
337KB

MD5
82ff84061e88d9b7099a74fef896597f

SHA1
351af4e065c53ed21f1dacfbb2c98c4d2f36a5f8

SHA256
1b1dac5b2d2b650042fb906490ecd8436b19041e9a43a5aef958f848aa5a0230

SHA512
fb1745777b68cd1eaaaa70dc3c292d9ba617beedfdacb6e484b0cee409b746c2bc516325c60915649664eaeda6585f80a63a5d9d4ae0ca57869cf201b0cb9680

Download Submit
memory/224-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/340-628-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/340-60-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/428-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/636-214-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/768-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1012-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1072-158-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1132-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1144-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1168-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-629-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-69-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-166-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-182-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1396-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-94-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2008-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2176-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2268-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2280-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2312-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2480-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2576-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2656-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2680-549-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2820-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-624-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2972-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2992-538-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2992-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3048-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3284-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3384-246-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-150-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-633-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3480-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-631-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-620-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3884-118-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3960-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4148-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4184-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4204-229-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4380-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4604-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-547-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4632-9-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4652-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4792-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4836-190-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4880-237-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-635-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4904-24-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4912-85-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4940-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5068-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5128-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5168-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5208-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5248-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5288-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5328-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5368-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5408-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5448-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5488-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5528-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5568-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5608-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5648-515-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5688-521-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5728-527-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5768-533-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5808-540-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5852-546-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5892-548-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads