73744d65a156f1a0208dd6058ec6658530eb0a868bae7737a2820a11de64fdc9

Analysis

max time kernel
105s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f70fd3ddab3bfea62d29a7329890930N.exe
Size

395KB
MD5

4f70fd3ddab3bfea62d29a7329890930
SHA1

dbbc84514a199708a65fae0706c4e2c969489a11
SHA256

73744d65a156f1a0208dd6058ec6658530eb0a868bae7737a2820a11de64fdc9
SHA512

d383d0efb9bc4eed44d54c844ad9a852877d37b197cf3360367e77bc58dcc8cffb517dc7017b7c18170b4bac64620bb0b6be23d07bbde546cd084a245b2489e8
SSDEEP

6144:VeMaVnirfs4y70u4HXs4yr0u490u4Ds4yvW8lM:VtG4O0dHc4i0d90dA4X

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4f70fd3ddab3bfea62d29a7329890930N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe

Executes dropped EXE 64 IoCs

pid	Process
3560	Bebblb32.exe
2792	Bcebhoii.exe
1268	Bfdodjhm.exe
3820	Bjokdipf.exe
712	Bmngqdpj.exe
1452	Beeoaapl.exe
1028	Bchomn32.exe
1092	Bgcknmop.exe
2876	Bjagjhnc.exe
2004	Bnmcjg32.exe
4724	Balpgb32.exe
3164	Beglgani.exe
1120	Bcjlcn32.exe
4528	Bfhhoi32.exe
3660	Bjddphlq.exe
3996	Bnpppgdj.exe
4524	Bmbplc32.exe
744	Bclhhnca.exe
2656	Bhhdil32.exe
648	Bfkedibe.exe
1356	Bjfaeh32.exe
1840	Bmemac32.exe
1368	Bapiabak.exe
1468	Belebq32.exe
2536	Bcoenmao.exe
2120	Cfmajipb.exe
3636	Cjinkg32.exe
2488	Cmgjgcgo.exe
2848	Cabfga32.exe
1952	Cdabcm32.exe
4380	Cfpnph32.exe
4448	Cnffqf32.exe
1772	Cmiflbel.exe
3776	Ceqnmpfo.exe
312	Chokikeb.exe
2264	Cfbkeh32.exe
4800	Cnicfe32.exe
440	Cmlcbbcj.exe
5108	Ceckcp32.exe
2992	Chagok32.exe
4544	Cfdhkhjj.exe
516	Cnkplejl.exe
680	Cajlhqjp.exe
4072	Cdhhdlid.exe
4928	Cffdpghg.exe
4484	Cnnlaehj.exe
4384	Cmqmma32.exe
624	Cegdnopg.exe
2228	Dhfajjoj.exe
2104	Djdmffnn.exe
5124	Dmcibama.exe
5164	Ddmaok32.exe
5204	Dfknkg32.exe
5244	Dobfld32.exe
5292	Daqbip32.exe
5340	Ddonekbl.exe
5380	Dfnjafap.exe
5416	Dkifae32.exe
5460	Daconoae.exe
5500	Ddakjkqi.exe
5540	Dfpgffpm.exe
5580	Dkkcge32.exe
5616	Dmjocp32.exe
5656	Deagdn32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Mjelcfha.dll	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	4f70fd3ddab3bfea62d29a7329890930N.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Jdipdgch.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Bchomn32.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	4f70fd3ddab3bfea62d29a7329890930N.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe

Program crash 1 IoCs

pid	pid_target	Process
5860	5772	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f70fd3ddab3bfea62d29a7329890930N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	4f70fd3ddab3bfea62d29a7329890930N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	4f70fd3ddab3bfea62d29a7329890930N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djdmffnn.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3560	4596	4f70fd3ddab3bfea62d29a7329890930N.exe	84
PID 4596 wrote to memory of 3560	4596	4f70fd3ddab3bfea62d29a7329890930N.exe	84
PID 4596 wrote to memory of 3560	4596	4f70fd3ddab3bfea62d29a7329890930N.exe	84
PID 3560 wrote to memory of 2792	3560	Bebblb32.exe	85
PID 3560 wrote to memory of 2792	3560	Bebblb32.exe	85
PID 3560 wrote to memory of 2792	3560	Bebblb32.exe	85
PID 2792 wrote to memory of 1268	2792	Bcebhoii.exe	86
PID 2792 wrote to memory of 1268	2792	Bcebhoii.exe	86
PID 2792 wrote to memory of 1268	2792	Bcebhoii.exe	86
PID 1268 wrote to memory of 3820	1268	Bfdodjhm.exe	87
PID 1268 wrote to memory of 3820	1268	Bfdodjhm.exe	87
PID 1268 wrote to memory of 3820	1268	Bfdodjhm.exe	87
PID 3820 wrote to memory of 712	3820	Bjokdipf.exe	88
PID 3820 wrote to memory of 712	3820	Bjokdipf.exe	88
PID 3820 wrote to memory of 712	3820	Bjokdipf.exe	88
PID 712 wrote to memory of 1452	712	Bmngqdpj.exe	89
PID 712 wrote to memory of 1452	712	Bmngqdpj.exe	89
PID 712 wrote to memory of 1452	712	Bmngqdpj.exe	89
PID 1452 wrote to memory of 1028	1452	Beeoaapl.exe	90
PID 1452 wrote to memory of 1028	1452	Beeoaapl.exe	90
PID 1452 wrote to memory of 1028	1452	Beeoaapl.exe	90
PID 1028 wrote to memory of 1092	1028	Bchomn32.exe	91
PID 1028 wrote to memory of 1092	1028	Bchomn32.exe	91
PID 1028 wrote to memory of 1092	1028	Bchomn32.exe	91
PID 1092 wrote to memory of 2876	1092	Bgcknmop.exe	92
PID 1092 wrote to memory of 2876	1092	Bgcknmop.exe	92
PID 1092 wrote to memory of 2876	1092	Bgcknmop.exe	92
PID 2876 wrote to memory of 2004	2876	Bjagjhnc.exe	93
PID 2876 wrote to memory of 2004	2876	Bjagjhnc.exe	93
PID 2876 wrote to memory of 2004	2876	Bjagjhnc.exe	93
PID 2004 wrote to memory of 4724	2004	Bnmcjg32.exe	94
PID 2004 wrote to memory of 4724	2004	Bnmcjg32.exe	94
PID 2004 wrote to memory of 4724	2004	Bnmcjg32.exe	94
PID 4724 wrote to memory of 3164	4724	Balpgb32.exe	95
PID 4724 wrote to memory of 3164	4724	Balpgb32.exe	95
PID 4724 wrote to memory of 3164	4724	Balpgb32.exe	95
PID 3164 wrote to memory of 1120	3164	Beglgani.exe	96
PID 3164 wrote to memory of 1120	3164	Beglgani.exe	96
PID 3164 wrote to memory of 1120	3164	Beglgani.exe	96
PID 1120 wrote to memory of 4528	1120	Bcjlcn32.exe	97
PID 1120 wrote to memory of 4528	1120	Bcjlcn32.exe	97
PID 1120 wrote to memory of 4528	1120	Bcjlcn32.exe	97
PID 4528 wrote to memory of 3660	4528	Bfhhoi32.exe	98
PID 4528 wrote to memory of 3660	4528	Bfhhoi32.exe	98
PID 4528 wrote to memory of 3660	4528	Bfhhoi32.exe	98
PID 3660 wrote to memory of 3996	3660	Bjddphlq.exe	99
PID 3660 wrote to memory of 3996	3660	Bjddphlq.exe	99
PID 3660 wrote to memory of 3996	3660	Bjddphlq.exe	99
PID 3996 wrote to memory of 4524	3996	Bnpppgdj.exe	100
PID 3996 wrote to memory of 4524	3996	Bnpppgdj.exe	100
PID 3996 wrote to memory of 4524	3996	Bnpppgdj.exe	100
PID 4524 wrote to memory of 744	4524	Bmbplc32.exe	101
PID 4524 wrote to memory of 744	4524	Bmbplc32.exe	101
PID 4524 wrote to memory of 744	4524	Bmbplc32.exe	101
PID 744 wrote to memory of 2656	744	Bclhhnca.exe	102
PID 744 wrote to memory of 2656	744	Bclhhnca.exe	102
PID 744 wrote to memory of 2656	744	Bclhhnca.exe	102
PID 2656 wrote to memory of 648	2656	Bhhdil32.exe	103
PID 2656 wrote to memory of 648	2656	Bhhdil32.exe	103
PID 2656 wrote to memory of 648	2656	Bhhdil32.exe	103
PID 648 wrote to memory of 1356	648	Bfkedibe.exe	104
PID 648 wrote to memory of 1356	648	Bfkedibe.exe	104
PID 648 wrote to memory of 1356	648	Bfkedibe.exe	104
PID 1356 wrote to memory of 1840	1356	Bjfaeh32.exe	105

C:\Users\Admin\AppData\Local\Temp\4f70fd3ddab3bfea62d29a7329890930N.exe
"C:\Users\Admin\AppData\Local\Temp\4f70fd3ddab3bfea62d29a7329890930N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\SysWOW64\Bebblb32.exe
  C:\Windows\system32\Bebblb32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\SysWOW64\Bcebhoii.exe
    C:\Windows\system32\Bcebhoii.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\SysWOW64\Bfdodjhm.exe
      C:\Windows\system32\Bfdodjhm.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3820
      - C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1028
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:648
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3636
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2488
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2848
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4380
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4448
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:312
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2264
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2992
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:680
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5124
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5164
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5244
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5292
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5380
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5460
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5500
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5580
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5616
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5656
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5696
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5732
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 396
        69⤵
        Program crash
        
        PID:5860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5772 -ip 5772
1⤵
PID:5836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Balpgb32.exe

Filesize
395KB

MD5
4f6e4d379ed89c02c40ee9dde1e93ed7

SHA1
a4a692e8d7f7a4cd26741205e9be7ec48afd4082

SHA256
90e8687694776ce5d1a16ec5101fc9c9f29f832d3aa366e4bc144f9a1f52446f

SHA512
f8a2fd0a2a3b4af6d0e0993747db752f408c6c26d50c00f4ed6632caea2cc18b13b5a9702672c24ef762c7418d91120a92a9a95994749b8962defddc978a483b

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
395KB

MD5
fbf410c3601408f9367405b9ee684fa0

SHA1
bb9c1dfd7c96f3663e4777c41f0ed1e5573b3a51

SHA256
3e19398dcdf85fbd6671cd58e464d9118ec41c6e6ca9be1c4cbd577dae0a2c45

SHA512
873a419f6ffe9358b710f2193aaa16eadc3ac4a4a9403df57dc9f92b7f2846fc484c3130dcd774b5100456b8e7fcf1274984fe4181e27dd403e4e8d092cc6483

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
395KB

MD5
83ae0f9d814893333e3e1a697ebb77fe

SHA1
7c39ed71766540e020fc7f486c368bc93e874b07

SHA256
8fb9b5def26e5780fdf033119f292d780b76ee468e1894820be148c9ff354faa

SHA512
1bf45880f3b6076f7095c5e88a75c3ca4a1e976e9ba411a5098239143d06589f43601651927873b4a0d61da373fb1181b771484cdf96ca9c99b48b42bf6567a5

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
395KB

MD5
ae8eb6ab0618c276b1361cb87a2d53f5

SHA1
e1c88a73eee28cc2385eed5dd9ceef7ff49db4df

SHA256
52a1cfa1b39352ec5a4027df1c60cd1fb3a6a4e861ee45d50714120b9e01f5d5

SHA512
65bb6d5b11d45dd60852b780f7cd46e6abd67a27ab9781d669aeefd6dcd23d5fdc2f21fd5b10fb586acbc7220470565b90bfb74a634b4aa9ef7cba992ccd7db0

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
395KB

MD5
b5f299cf4cb29af7799a08afa7ece85e

SHA1
badb533811c2ecb996b376b234df11c27bee708b

SHA256
bd1e38daea494428d8540ea331d9638a538fbb085545b293a9b7f2953a7cf91a

SHA512
de47decf82f4b3b5a6cddde86d8b70581c37df3b500b07bdc0896677818f2d6ed1b59260f04ecbf75a24031387bd6d433fdeb49e7ca2a159470eab8cd6506bbb

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
395KB

MD5
c0649cc63f631a9c0f12609241a61b8b

SHA1
a7e95abf841b9ff048c0233afd80ee41fdc82a9d

SHA256
d844b19d9c72bb0b153d157a428588c88b2957a10a5755707b9f941aa34a9b65

SHA512
8555700e157102cc6f55752b5a3ebe4c15cf347cfb4990fbe061169ea22c715de37a24e6d78677da1d047f58ca84ebe8ccf5f25cb1b75ff7895df83f3c32efd2

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
395KB

MD5
e9722c3cd9a407ab50fe041c38182dcf

SHA1
23b588f26a257883e71fa082336188fc16352f41

SHA256
f1bd4635bd3b2c794262143e4e7f7fc136db8841f06c9a6cbdf171c89e080538

SHA512
1cb8b341eb3920f891e755cf74f6b9b601037631150e2decfb55415d3708822d21438ced4af1a764e0833275f4a2bd9bf2343a18fc6a1a56fc17c3a7c4870009

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
395KB

MD5
a25fd47acdc06c4554e665d6df7e43ac

SHA1
ade682941fb7383e4cfa4f11bafa71a40d5f529a

SHA256
cda8f528e3799ad23f53ed38c666abc8c65bcab342c3177c900133a29c0698ff

SHA512
119e8fb864f21f124a74155d95f83868e7dbe5f99286e53940079ce169eef7e54fd34d126d3c59fcbc13c2e57ab7f035409c41a5e288fc802b7cd0fcbf3a3819

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
395KB

MD5
2f064c6bd1d99ab125dab10f081c4f4b

SHA1
1165302e0472fa3681d8c7bfa88c0dabed980e65

SHA256
0e9ebc83ec430fef5d362fbaeef55fae0ee4f102ffe8dcc5f6ed3f0286cf595b

SHA512
3239c47de15f3d779d19afbf1e4487caec7f18c54019ef45629b98d014600014c209f5f1b0c0d598b02116fc7c73ae02ec993590643bc0b2b6d8a168b346fa89

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
395KB

MD5
68f3ceedabe6a08a92d77fdb6b198b94

SHA1
9b9447c564aca45715862051af3bb22f176662e6

SHA256
041ad59e9cd0881ba31d2ca4baceaa42fe5da67c2a5d9e5d44c11df32ca3798d

SHA512
4a1547c2a34e5ce1476451b85f98d5b1800e894c0bbec8cab965314034096d30e8a6b561bad818de306e00636f88f2f8559a86da2ff9063fd108ce716cc8da63

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
395KB

MD5
9c69ca8f090d966bd0ee17de1e0f1697

SHA1
ade16a9ae2da4dafb70f901a62ad55694a2e130e

SHA256
99eef636aa10358049d958415e5eb86a41c60eabad7b84843e34461674497da3

SHA512
5035303f83eadf372cfc1f7f101e90d074de4e3376765ea4da54be6dfbf5d3106f4a7699de7733cd34066492c2fe844ffe22a7e1d444602d0b8ee5521077e32e

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
395KB

MD5
7e734704ddbf3d49ee6e656924082fb7

SHA1
201f795b22475314838d1eceea40103d39ff2eb6

SHA256
1eb5709c5e712bd7f289f6cc91f09c567375b170a95ce77a46f07978e8c02522

SHA512
bb64075e67d9f874f87604646b8f74eb3dda628fa710c0f69eaa2f7de863358482b4299b05688c19090972725cfcaabe426f44d74b308e1e7c209521c3e849e5

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
395KB

MD5
67f0d544cbdc8c1b875f57e175c8b6f4

SHA1
ca7d27d92d81f9d773e74401e46b1b7d97fde3d4

SHA256
214802f9ed7746d92c080a1b56f42fd2d22b883757debb1c20e7d6d8edba87fc

SHA512
9ed8e60d7586878faacdeaee77ce12db3015bfd0ee92e73b40064ca590565860bd6cb9355e31fa0fc4516eadcb7aaa2aae4218fd289baca8a9cc1027b0d3d1cf

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
395KB

MD5
3a308e1c4f3b264f552f2a97a98ad8df

SHA1
a84f95cd897b6fce5549e707a22a9e4d7d09106b

SHA256
5dc9732f5edc3ada5d6c5814859cc192d35af7066233d340b1b2289328633016

SHA512
224c60e27e77cf5943482905b12b19c71b1a1bfee2f35b078f12683b773c1234717861bcd19bf61ae7d02dcf59d7bac8741a0a2bc22682d803403b9b05d42d71

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
395KB

MD5
793c1b63a8fb0d30fdb03ef468e5bd96

SHA1
2c4b9caa210547b98cddf45cadf30a731f8edd7b

SHA256
51859c99790ff944a7a8aa08e624ba1280283efad13ee75f696ef43e527d2b09

SHA512
9aaff6576bd1aaf24a92f85c4783505ba1dc54ff4835c243a0e32a8cdc0ed2c1210dfd427d82ae455b6d3b394fd615a334d00a7a2028d30dc06c50379e7ccfc1

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
395KB

MD5
610948a246b65a98a2e41dfa6a809634

SHA1
86d56ab9b0d1c34c29dcab45e8ba3498fa0935a1

SHA256
ee4fe147d55c78b7fb11289ed9928502bad84cb5af9cfa56df3c571c756605dd

SHA512
1b8a4b4a4f2951382dd1c2133b74256b0b3f124727ae7279f660bd235bcd99e8cc9cc90d59a86893892ca7360bd80a2d35da468684f079485bc64b2ef2f6a9e8

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
395KB

MD5
6ba9d68c92c9c49b2d3b5b17542f1ee8

SHA1
79fcbeca98026b09712d3465e1980d51554ca4cf

SHA256
b3ecdc26adaa9fe4aa8fc6a4b9cb3197ce60bee5d152fe4d11730685f326a972

SHA512
0680f52dddf75ef02266b7f204591e40b3dc6a6e59daad227685a87da29aaee372e0801417da12be3a92698191e11799d81b8bd3a280d5c709d45cd54db41f1a

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
395KB

MD5
dd6bc2353d7807c3fc84e90020aacd91

SHA1
487ddb91d7761b1c7f2496dea700fef685324728

SHA256
f80728f46abec2e64fba9bca47c2e1c1e9bf448163d66eb2a2ad3f497fc068e5

SHA512
e2eeb13913c9d2968649cb2a6c9243e323f19f2b4755893697cb645d7e8e02dd69533b3ec605b57a0ff10bc6e9956712fef6e9141d8e16e6b9ae8ca033ae0748

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
395KB

MD5
acb8247de1078fe7b123c13b012d7b5e

SHA1
49a1ae5e671cd845277bcce92a0780a1ebe46ec6

SHA256
21483290cd4a63fed4352aab3ab1031056e3207cdda1e6ac1b8f325beee89f9c

SHA512
9b839b008c5451e56b2d9af61e98a9db769b70c0acd5ee052d3e41c8d92f9b3cd8b31da92b1c6536d1d054f58f6575dd7858a6b3ec6816872eb849a438b90cdc

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
395KB

MD5
81f9625ebf95c680dad9204acc1d34a8

SHA1
579c00b4ef54a1bc082a8cf67a7f67f589da943e

SHA256
5cbfd98bd124a64df83a7a5ea1a116fbcac46d735ac29d5f7d98339a53cfb2c0

SHA512
ad09cc0d26b790db747ffe74ce9e1a26b5505714293eafece0c3bb6b81ac20704ad02019a95b6795e20b8eec568722674a260d84d59489c8235bc97c991286a4

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
395KB

MD5
1f6ad50d1fb6a1ec433061a7441799e1

SHA1
1d7465e61d920165950d2ace5cfbec11c077b4fa

SHA256
141846635290360f73ecc0dbc054e92a76af0b406e7c8a25e4378e0746c6f2a0

SHA512
f81a824bd21efae497f1c8595244e165c7ef9f5a51b0cbbecd252159f15254ab8d4c7a98804ad9fdf17deb486fc2ddd700b2bcd566697cdee18d3b6ca4746b12

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
395KB

MD5
a4ef340966134232aa5e21a0f4af8bd3

SHA1
dfd3006256c30bd800c7789fc3d963a7d486b6e4

SHA256
2109f1a8a3afd2d2349b5261a55c138b37e6d72bd80ceaed6e62b359aaa76f06

SHA512
d125e28863a2dfedd721b6d1acf4ac850d4c6a3f6531195b6f91636a16102ed7b1f6d122a4c86cb7784bc09ccf9186af4f1cf53a743a5981593102c2524112b9

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
395KB

MD5
f895864c11916dda68526a67efbc99f1

SHA1
ce46ff936bda7adbca440e2618e2254f7d154d47

SHA256
49593a37439707b6b8f3aa4def49be9d8be82fa9d45b5c7502d24d59adeb70a3

SHA512
8af7210a344ca981dbee2de53f5cf37ccd018c518ecfcf50c4aec5ba84f8d3b96688c344d44dfa4fc9a35dd44d9797814a4413727db426e8e1c40990094e459d

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
395KB

MD5
252c153f6bfa119e7b73e71f22031fca

SHA1
26e93d3bedf0babae4d4e485ac68c4aaf41bfb96

SHA256
bf5232b2a2773443208750b6f728f823af282bcc55ab02b871a86ff7ba162a92

SHA512
179df4630aa089204d13414a33efa308b68b05fb2ead0ebdb3642beb7ff2efe81ce331fc699b8d4f95669c6269ff5085e2ef9ba4b7bc6f653c629f7954e2bb97

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
395KB

MD5
d2410b11c95766b998a242d741819ce9

SHA1
11b5292b5384e0bedfa5b58fc8131ef2787d9750

SHA256
56e4faba0a022f13b6b02f483946c1f1ba41e0d06e442389720426abe62a5a4d

SHA512
26560f4da181fb9d3a02385f7851af6a44fe408e844a71ca06c605cba25a11a275e9241babd11338d4d691b89ae9d4f7b014f3f9dfdf949edb6097a74175aa5f

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
395KB

MD5
4fc89be6e58a99113eb640dfd29e044f

SHA1
bd0e52d80e292be6e261a8fa1130f0719c875422

SHA256
5f5fff14c52aff7f3a55d7ada9c2c4796db5f6a746cb0938cb966bab8b80984e

SHA512
5b655de3c26e16e2314c5fceb26629932d9902dcc3245e6bbdae85c51b6f3403cb7ea9589f769b7de7fd642e43f1a9b6d8ca39524356eb10a4cbafecd53179e3

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
395KB

MD5
2bc602101c7689ad945ffe02d1ad3d83

SHA1
7c290f07844fb2b802a616569a989095d4fbbd54

SHA256
c4066a20be5cf4ee211e5382d580678c04844a9e0a40f189fff9978587a9536d

SHA512
2275dd30e28c72d4f7f132ff411836e01b325a564ad1848f86d1afc86ba6ceb6ae23cacf0ae38c6b29ddaf058a0fd1780273934dd8dcff2f00dd9e360eed59da

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
395KB

MD5
f53e7a7ab9f900135683c86a3d155191

SHA1
bcf2b099d70cda5e6f51a08f261528c116acf4d6

SHA256
780668e4280c92c302252f7abc5e7c9ac2a56b98ebe235566429448c1b92286b

SHA512
9eab0ca8fd1e3facabb4ad1ee6ab8520d7e90c44f5d2ed8029e0165c78c27f5943f84e037ab7a8214a5ecc93096504a35c421dd4ac6dc17d0fc52af6cc760e93

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
395KB

MD5
184d53cf60506ae7e59f830ce3f75c74

SHA1
d35230b3f99c17e2c4378531e8463c5b7e1b63b9

SHA256
5292b42d3dd0db9d262d00e44523a0bd8a21df568dfd345b168fd64fad8eb792

SHA512
901915f267bd86ec99f34b07a0fb761411820bbbe5adb00e60c985a83685d65d01cf34056a343374138d04dcbedd9896494b02477fdf825fce8f4280f65a6081

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
395KB

MD5
ee61e50796841c812434748fc151b622

SHA1
066180f63143edd19b814c562d863005eebfc0e5

SHA256
d297ab959095e7a3bbb94a5a9208e9b690432018bcb8635117482bc47e9d4f71

SHA512
6c93493ea8f6fad9c2df3e2ff1b37bfed797e123dafc277dd5921c6ac1fd9163f9170f7940badab15d34cbc9f76b65369e030aa2d95733fede27b09edf2676dd

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
395KB

MD5
9b2e24fb077a37883cc9fc982d40aa36

SHA1
05d106ccc7b6b78f938774e446aa1ed761cbb20e

SHA256
bbb16eabb1c0b8db415132dee54b2a107d5b6a436e4ac515b38cd900f338d851

SHA512
aaa3cfa0a8d515cf885bdb0449974c9ddb28b5e7751b180564b9888271d68530349fba09bcc2a7605cafaf32b49e3a8f469eb02810a659ff431340b2b44c383b

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
395KB

MD5
46e2d02f26f6240f8693e8fa9cb61fb6

SHA1
60a447ece06004785c9e1f4301771948d02d93d3

SHA256
a8bf98f5943257258d216ad50f912c26abf810f676e5e8df02a55f8aba1c3c89

SHA512
90d1ffa439c67834391d0060361684f3f1f8cbcdb7af6b3b43d11c3b147fef6cba239b9e6f14e0147aa06379d0c8a63e2730ba1600a81f62a077da16914bf9a1

Download Submit
memory/312-276-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/312-527-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-521-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/440-294-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/516-318-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/516-513-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/624-354-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/624-501-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/648-165-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/680-324-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/680-511-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/712-44-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/744-149-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1028-61-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1092-69-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1120-109-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1268-28-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1356-173-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1452-52-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1468-196-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1840-181-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1952-243-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2004-84-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2104-366-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2104-497-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2228-360-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2228-499-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2264-282-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2264-525-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2488-226-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2536-204-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2656-157-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2792-20-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2848-235-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2876-77-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2992-306-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2992-517-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3164-100-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3560-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3636-219-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3660-125-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3776-270-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3820-32-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3996-132-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4072-330-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4072-509-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4380-251-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4384-348-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4384-503-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4448-259-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4484-505-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4484-347-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4524-141-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4528-116-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4544-515-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4544-312-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4596-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4724-93-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4800-288-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4800-523-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4928-507-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/4928-336-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5108-300-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5108-519-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5124-495-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5124-372-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5164-378-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5164-493-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5204-491-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5204-384-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5244-390-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5244-489-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5292-487-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5292-396-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5340-485-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5340-407-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5380-483-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5380-408-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5416-481-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5416-414-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5460-479-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5460-420-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5500-477-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5500-426-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5540-475-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5580-437-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5580-473-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5616-443-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5616-471-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5656-469-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-467-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5696-454-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5732-460-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5732-465-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5772-461-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5772-463-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads