222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7

Analysis

max time kernel
103s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 20:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
Size

89KB
MD5

3fb8837b4b638abcc1e49b5aa453723c
SHA1

a6b5d9030f930bf29fb37d86da0e93a0412ec4b9
SHA256

222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7
SHA512

82307267b48e0da3ba6bcb81e96f49971da31839cf658cc91c5aab568b64c85e452a835e4ca81cdae3f93448b9414f4043befae70cd54c2369a5777b1c7afc1f
SSDEEP

1536:V/Wh1rAnEf6+1AWsScjroFfa4UUQ8NwyKmlo+xsRQKD68a+VMKKTRVGFtUhQfR1p:96B8aLMScjroFiEQ8/lo+ierr4MKy3Gn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qcgffqei.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe

Executes dropped EXE 61 IoCs

pid	Process
3056	Qqijje32.exe
4576	Qcgffqei.exe
4492	Qffbbldm.exe
3676	Ajanck32.exe
3952	Aqkgpedc.exe
3208	Ageolo32.exe
5028	Anogiicl.exe
2656	Aeiofcji.exe
2384	Agglboim.exe
1952	Ajfhnjhq.exe
1292	Amddjegd.exe
3544	Afmhck32.exe
3748	Ajhddjfn.exe
3920	Aabmqd32.exe
1944	Anfmjhmd.exe
2548	Accfbokl.exe
2500	Bfabnjjp.exe
4488	Bmkjkd32.exe
4880	Bebblb32.exe
4296	Bfdodjhm.exe
3728	Bnkgeg32.exe
4340	Bmngqdpj.exe
4928	Baicac32.exe
5052	Bjagjhnc.exe
1448	Beglgani.exe
2628	Bgehcmmm.exe
628	Bjddphlq.exe
4356	Bmbplc32.exe
540	Beihma32.exe
4480	Bhhdil32.exe
668	Bmemac32.exe
4924	Bcoenmao.exe
2400	Cjinkg32.exe
372	Cabfga32.exe
3772	Chmndlge.exe
3300	Cjkjpgfi.exe
4984	Caebma32.exe
2224	Cdcoim32.exe
5096	Cjmgfgdf.exe
4500	Cagobalc.exe
4840	Cdfkolkf.exe
3060	Chagok32.exe
2432	Cnkplejl.exe
4088	Cajlhqjp.exe
1864	Cffdpghg.exe
5040	Cmqmma32.exe
3628	Cegdnopg.exe
2956	Dhfajjoj.exe
1556	Djdmffnn.exe
5068	Danecp32.exe
1956	Djgjlelk.exe
2780	Daqbip32.exe
1180	Dhkjej32.exe
5004	Dodbbdbb.exe
700	Daconoae.exe
1168	Dhmgki32.exe
2284	Dfpgffpm.exe
2448	Dogogcpo.exe
4180	Dddhpjof.exe
1316	Dknpmdfc.exe
4536	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Accfbokl.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qcgffqei.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Amddjegd.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bnkgeg32.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4224	4536	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amddjegd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqbodd32.dll"	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgehcmmm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 3056	3624	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe	83
PID 3624 wrote to memory of 3056	3624	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe	83
PID 3624 wrote to memory of 3056	3624	222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe	83
PID 3056 wrote to memory of 4576	3056	Qqijje32.exe	84
PID 3056 wrote to memory of 4576	3056	Qqijje32.exe	84
PID 3056 wrote to memory of 4576	3056	Qqijje32.exe	84
PID 4576 wrote to memory of 4492	4576	Qcgffqei.exe	85
PID 4576 wrote to memory of 4492	4576	Qcgffqei.exe	85
PID 4576 wrote to memory of 4492	4576	Qcgffqei.exe	85
PID 4492 wrote to memory of 3676	4492	Qffbbldm.exe	86
PID 4492 wrote to memory of 3676	4492	Qffbbldm.exe	86
PID 4492 wrote to memory of 3676	4492	Qffbbldm.exe	86
PID 3676 wrote to memory of 3952	3676	Ajanck32.exe	87
PID 3676 wrote to memory of 3952	3676	Ajanck32.exe	87
PID 3676 wrote to memory of 3952	3676	Ajanck32.exe	87
PID 3952 wrote to memory of 3208	3952	Aqkgpedc.exe	88
PID 3952 wrote to memory of 3208	3952	Aqkgpedc.exe	88
PID 3952 wrote to memory of 3208	3952	Aqkgpedc.exe	88
PID 3208 wrote to memory of 5028	3208	Ageolo32.exe	89
PID 3208 wrote to memory of 5028	3208	Ageolo32.exe	89
PID 3208 wrote to memory of 5028	3208	Ageolo32.exe	89
PID 5028 wrote to memory of 2656	5028	Anogiicl.exe	90
PID 5028 wrote to memory of 2656	5028	Anogiicl.exe	90
PID 5028 wrote to memory of 2656	5028	Anogiicl.exe	90
PID 2656 wrote to memory of 2384	2656	Aeiofcji.exe	92
PID 2656 wrote to memory of 2384	2656	Aeiofcji.exe	92
PID 2656 wrote to memory of 2384	2656	Aeiofcji.exe	92
PID 2384 wrote to memory of 1952	2384	Agglboim.exe	93
PID 2384 wrote to memory of 1952	2384	Agglboim.exe	93
PID 2384 wrote to memory of 1952	2384	Agglboim.exe	93
PID 1952 wrote to memory of 1292	1952	Ajfhnjhq.exe	94
PID 1952 wrote to memory of 1292	1952	Ajfhnjhq.exe	94
PID 1952 wrote to memory of 1292	1952	Ajfhnjhq.exe	94
PID 1292 wrote to memory of 3544	1292	Amddjegd.exe	95
PID 1292 wrote to memory of 3544	1292	Amddjegd.exe	95
PID 1292 wrote to memory of 3544	1292	Amddjegd.exe	95
PID 3544 wrote to memory of 3748	3544	Afmhck32.exe	97
PID 3544 wrote to memory of 3748	3544	Afmhck32.exe	97
PID 3544 wrote to memory of 3748	3544	Afmhck32.exe	97
PID 3748 wrote to memory of 3920	3748	Ajhddjfn.exe	98
PID 3748 wrote to memory of 3920	3748	Ajhddjfn.exe	98
PID 3748 wrote to memory of 3920	3748	Ajhddjfn.exe	98
PID 3920 wrote to memory of 1944	3920	Aabmqd32.exe	99
PID 3920 wrote to memory of 1944	3920	Aabmqd32.exe	99
PID 3920 wrote to memory of 1944	3920	Aabmqd32.exe	99
PID 1944 wrote to memory of 2548	1944	Anfmjhmd.exe	100
PID 1944 wrote to memory of 2548	1944	Anfmjhmd.exe	100
PID 1944 wrote to memory of 2548	1944	Anfmjhmd.exe	100
PID 2548 wrote to memory of 2500	2548	Accfbokl.exe	102
PID 2548 wrote to memory of 2500	2548	Accfbokl.exe	102
PID 2548 wrote to memory of 2500	2548	Accfbokl.exe	102
PID 2500 wrote to memory of 4488	2500	Bfabnjjp.exe	103
PID 2500 wrote to memory of 4488	2500	Bfabnjjp.exe	103
PID 2500 wrote to memory of 4488	2500	Bfabnjjp.exe	103
PID 4488 wrote to memory of 4880	4488	Bmkjkd32.exe	104
PID 4488 wrote to memory of 4880	4488	Bmkjkd32.exe	104
PID 4488 wrote to memory of 4880	4488	Bmkjkd32.exe	104
PID 4880 wrote to memory of 4296	4880	Bebblb32.exe	105
PID 4880 wrote to memory of 4296	4880	Bebblb32.exe	105
PID 4880 wrote to memory of 4296	4880	Bebblb32.exe	105
PID 4296 wrote to memory of 3728	4296	Bfdodjhm.exe	106
PID 4296 wrote to memory of 3728	4296	Bfdodjhm.exe	106
PID 4296 wrote to memory of 3728	4296	Bfdodjhm.exe	106
PID 3728 wrote to memory of 4340	3728	Bnkgeg32.exe	107

C:\Users\Admin\AppData\Local\Temp\222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe
"C:\Users\Admin\AppData\Local\Temp\222cc165faa8657083e038ed7a36742bf12a352dac55c7589cc59874cf5358c7.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\Qqijje32.exe
  C:\Windows\system32\Qqijje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\Qcgffqei.exe
    C:\Windows\system32\Qcgffqei.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\SysWOW64\Qffbbldm.exe
      C:\Windows\system32\Qffbbldm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
      - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5028
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2384
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3748
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1448
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:668
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3772
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4984
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2432
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1864
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5040
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3628
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1556
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5068
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1956
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1180
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1168
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2448
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4180
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4536 -s 408
        63⤵
        Program crash
        
        PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4536 -ip 4536
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
89KB

MD5
e9dd74ea579817c533e497903625fba7

SHA1
8f5425fe62eb3cb1d2997356fcb3fabca8fdeacb

SHA256
9a032392ddd686e52e41cee64d9906ca4fdc77b53648db74b08cb1aa12b0124d

SHA512
76bf47309a96ab3e1014fec4645ab45ef8daf748dba718defce684c104ed3df1443339738eedce03c330324e77368f6df1e77680a5da81067ddfee76a161ce72

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
89KB

MD5
50bc6fb37573b39fc9fcbfd82ec094b2

SHA1
17d0ea85de6a20fdce143f88ab46bc52aff600e8

SHA256
6559ac51fd517d9754bac04605125852b5b76e5e342a373b167ab51edb13b687

SHA512
312ee61211752e0d3a7317f9c2bd7f82c38725249bc539ec17ede1da474e1675479425d66c205258d0f2110f2d706c257ccf90fd7600e9f4a82364f2415e2886

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
89KB

MD5
767da803a86a10de9c2ed5f3e465f2e7

SHA1
9fe29c4e5d3d9a771493754a1e538d7f773625af

SHA256
4519af824a5d8369661a879483792796b8c28157937594a8cfcdb42b2b75f536

SHA512
3a4487772167f63ca88553b2868eea0d04f7bee401bd6348d652a58b8896981fd51317cbb537fb6554f29deea6aadbba77534cad9750963b13ce4e0cc2813515

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
89KB

MD5
9e568343dbccf3f676b92cfd3e990687

SHA1
1e3c09e2cf173878a06c6439026a9c7ab84fb9a4

SHA256
0bea4558b6fb26bf9613c15f73da4a9480a748d6416ce7b390afdc31a1359a16

SHA512
5194cc007ed9de0bf502fe5a715f2017eaf3548a72ddad67ac3487bcd137ac4ffd1f798a8ef7d25d2aa1d364cf1997fb05e7c15ffa30c8b602d2e20de7b34c0b

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
89KB

MD5
5927c35519581b0695d1cdd12f93d164

SHA1
926a44f5458b7dd1afe40fd397f2e69415630113

SHA256
6c2c08797ed88a13452f6c5caa4ea779d93fbc5602102d3bc1a89728a38d91e1

SHA512
12256d77733a5abb9e509650f1d04c192b16f9cb636217a65765c690bd8b522404fbd81f687c50f0e5accb9ac9c70b25b1c22726831d756f8e9380e5385c31a0

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
89KB

MD5
8c9c0934eedc9c7632690908c9e91fc0

SHA1
ff077bc8b6cc808f9d2ebac2f79abff87876e911

SHA256
2af16fda102fa02034f55abba5c312544de1add7e2109bedd59f9da5e32e9d55

SHA512
3215e91466b1d0ca27d1c9d3047a44c0379cbce05cbccb22c00cb2fce8338ec0e3ee6a2035e074647d3e84067cc55b6250e4a1206babac34598867f19e1802d2

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
89KB

MD5
4cec71b3389ad15196ef0d966c138bec

SHA1
09469f95b7c529bac2a766957396bdfef1f3a667

SHA256
e4791fb68e360e0e572ba762faf6da6beaca41c34a336fb57e5753fb8680a129

SHA512
4d62bdb6554e52436a486a944851be999bf8439f80dfb27668314f1cded8e7b6a6622436bc01e5157cfc695d933b30df049619bbdd45875012c9a074879c2d2f

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
89KB

MD5
21b741f3a33afcbd34e6250096110ae6

SHA1
cda932874f7d79712408dcf056fa626d9b975447

SHA256
dc334675c535f0c19bf3b30223a349e2ad8635de767ff7aacb4f3db055ef8405

SHA512
527c6e9f8e0c49fbef87fde5aa98b914aac56925783886c2b77dddc3d9cc1b2d7b81f90360d3d948c0c8dd20379acbd96e8a5236ebdf26dc29a46629b38b4976

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
89KB

MD5
a609ecc637b7ab332a002bec75e9d087

SHA1
43ebfe7f443309bef35bea1105bcd86378255df8

SHA256
c9507e98c02f7188909451b0dfc6c673903dc6ef196ca14d97963f13828537fb

SHA512
d779f180acb3fb4a57476b7c4097550e59ed8d6691103820fed5e7da809fca12e1c236ceb0af489c4c8c7910b7227bb6d0e872ba42e1647179419826aecffcc0

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
89KB

MD5
66e245fd381c36fa1c7def062317143c

SHA1
0a49f704db284435bdbe231a86094898713a6d39

SHA256
8e13507210cb9922a9f7c7ad0bd54dfb272eb9569a3a443302bb88794c01f216

SHA512
e920af0d69a0e9515dcb507031548dc15a92df01d7f8c9466292e52267c5f4e90fbbefb14e42310d0bd61ce8765620d4fa64fd96b6421ea704331b818cb49ca4

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
89KB

MD5
b4f582844a913cf5567619d8203b6b4a

SHA1
874bde9f4ab402f531285871bd99013db5c1b606

SHA256
b5a5a8318b04b708b7c22657f744c03d84bb5a2080c463ca99579418e4ba15fe

SHA512
48aedc3f06ba59f37eb630eec372db8dc0b33a97a833156d9fb81f6310fa40b41867a03775d7b7b67b0cf6f462b2bc53ae761fc7218a2e397610bcdd726b0f28

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
89KB

MD5
c12805477fce2fc7f0acb887b829f4de

SHA1
6d3e90db56f896bb6291c2f83a1443a7ff9f712e

SHA256
5cdf08a5609fd8716f4b75ae5d634b30c7b1bd11e7d15663e3ddf383b2713a5c

SHA512
350cb6f57396f2886c44aa929abaf2c274ea61ddb15cdcf5e04558f5670886de7277a436cfea83054a42323302c7a2d29cc11630df6fe9216c940e8ccf8c919b

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
89KB

MD5
17a4bd26fcc945d62f616bb2e99ac815

SHA1
1fdec20308991bae4c92c206a63f7199f2c9d619

SHA256
46e147db8070ca30af93afd5e15eaad46668972e1ec86c010f75f2db9740830b

SHA512
80ffaec8df065a0dc7ea2c280303cb5262bcc0d6efde1b8bda7fa711d7b580232a615284488f5a9141b23b8b6a135b769bc1a692f97804b5e069421c2ee8671d

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
89KB

MD5
704cf02fff23102a5554fbe75fdfd720

SHA1
f0f1ad62df9e7551b2c042a9a91d6898e3dd933c

SHA256
c209485cc7dffd545455cf31343f891b3b9e5a62bb02556c370e507ffd579d59

SHA512
b0b95f6fd27407ea31f6785ae1086c55064d78be87c0f3e86b527e1aa4a73ba092fd6487bb38431a4e5151f7946057b9eeb91ce64258a3c06ad4f22dfe00c42b

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
89KB

MD5
aca0deb98ee958cf69dd04fb5d9286d9

SHA1
b99af7cd6059300419d9dba9d9dd3f18f13a2e7d

SHA256
0e7a06ab93fe3b736a25679f854248d80042f2e407a3d7a46ce4d5e84172c130

SHA512
37e9fd3ee2aa88fb731df794c7254ae09769a41673c14ef4d65956d4d3c62e00128ba182677c2ff3dc70ef7239da0e40d0b70b522c9260251e2ee70d3be6174d

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
89KB

MD5
b238dc7cc9baa0ae28e7d44e9bea703c

SHA1
8225ef5b42ea9ee4be16220280e15e0b0c5623f4

SHA256
914b4d24f37e56751dad54f26e2b26fa7907f49d317080ede64b1b96697adf3e

SHA512
436778b937c5d6b7f967134c00d391f64410cb752771a65939142d91b77fb53b5c462786001ec33edc520da5447bbe087e845a1a527df5bd8070372e03234609

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
89KB

MD5
4bfc2d26f234172f5e0070eadaf2b86e

SHA1
103f546610828016f132fe83c888024968630270

SHA256
a207ed2473df269f14cc20f47d6efc03486024d3a610e46f7774aa10ba12e381

SHA512
f0d45eca8d294600246e668e3c247e77eeab941dc2a6ecad43122fa38a336479f791fb5c32145b7c38f38e5b54e2f14212c4f56fcff7994f9eef64160264f52f

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
e199127f4165803d3359005edc4480a3

SHA1
49dca8cab4be226a4109c9d27cf7a430aed94406

SHA256
1a15a056739b0c6dfbec4a6d926ea5493f86a969b1fe9684a71e52a32d405e56

SHA512
048b792c866c0bfa8dfb121de196799b74dc9177878e76b91231119e160eb4842e4c3c092c48c23241a8a5c0fed425afa7d1829e83c32cd07ebbdf543dbbffc8

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
89KB

MD5
7b23796c463a2b405ba35b8e41eb8f00

SHA1
1746c78fc7a7e2eb951538f3ba48d2bc4b689bfa

SHA256
209bfbd16b4627ab46e844335d596a54d823540d57b731cda9ee229bfb016a0b

SHA512
3aa8d63b02a592f543e9d66f5dfb8b996872b86bdb0effab66d83e4ac64bfa5f65e0648757e53c93324efd192f394248216ae24c04c9111a8e87c521c705d8ec

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
89KB

MD5
e2e8c6429e775d324fddb6e753367d92

SHA1
73b7c0010abf9b90fb75a9f6a962b319a5205b83

SHA256
ca9ae9ce1c8c7dfc252ab87180545cb2f2a123a146f60bc5498c5662ad2a5c9d

SHA512
cae6d4fdb3a01f0be50505f5fd5886e47816e6be41532bb2bf1d976d159ccffddaee2f242de3085dfab904b6770f5bfda84527f6d34a53700f2691e442b47b03

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
89KB

MD5
4b0fb5f38e602e6255a6e32e784e4787

SHA1
972674aaa803bc0ca0393d7589543b268185a134

SHA256
48b9df6b35d643d851d9f6f41d20dbcdeeed9a3b87f1349e007735a3207c14af

SHA512
bf6f5f77faeab4dc941054f37fcbbe66084b37770a49e47ec9ad01ea89b865a92f71507f15e9388f91f8032340f089d5eb6af145d2135abf4ec654d17eaa26f4

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
89KB

MD5
476bf60a1a6703bbaa8c407ea2a6850c

SHA1
e21f72aaf31a9ae73a396f7c265d70e3d5f442b3

SHA256
c87f43ec00ac99fdb2743a72526540cd0155cffb0a18b3512da7856137d77686

SHA512
ed1dc7e1e14100c6674b316b3fe94c1c811c4ce47f0d80dd371a4b466a212739370daa38fda5b28eacbb96f34dbe3d1525ef58b2345dd08895f9ea06e2d82b2e

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
89KB

MD5
fb3eee6e8ccbd3a00fe2e668c2eebddc

SHA1
7986bf885613b61fab750471db1ec8cdd897a185

SHA256
8df12adaad605499cfedcd26482aa5feebaf896622d9d6ca5f9b0b5e4f481890

SHA512
a631cb7a36a037037908a9a9224715796d61d1bb8bb4e2feadc38a424fef51916d99fe79403ea7be0f6a5423fbedfafab37e7af9f1e071ed82088ccf08f3a80f

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
89KB

MD5
0fe39a1cd19de375bac16af9b3bb3666

SHA1
f198a7a8d9dc0b0d9bf52ddea763880a0be78020

SHA256
c79ce555b4f0d3f3a75f0e9c7253d549f29fd0fd510983dd9f1e878eb5aa703e

SHA512
26568abe7094e37cd1d4ef2c7ac15df3173dbd3b09c4df91a87248520eb48ea27a7dd92c8c3c9e940467c7b4ec9ee38321169f7dc1edf7f11173c2d92f7451b6

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
89KB

MD5
edd4e3c463685c342bba4f4c8aed21a9

SHA1
dafd624747c93ef0464bfb3d31b37451f7d62d59

SHA256
c911421f8e23372cd9b5f11cf6d3d9fa795bdf628e27f7b9288aabecae2d2717

SHA512
ba67f3ab4b0d5428de311b21548eeaadb80258690417590990c7d81b8f527791bb15530752a860f3fe85a2bdc8d6e9d9475f18f5204bc6c5ccb1d4d7f7f3fe34

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
89KB

MD5
488c0cf2b17b2d27aaef5e6aec5290bc

SHA1
c24005f3a614f94f0abd52275c5a432ded9993b4

SHA256
db40154e77e92cb7b1396cb443681e0ed6f25e09994089157165e9d3818df76e

SHA512
4be8542166963d8bdd5f7a112b2f3c0b1cf8260923b0ce59c8c4f6125ea54d89ee9562b6f3d4c85e3ccc1d7b9a24ba914de2e33639eb424d188aa477882a64d1

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
89KB

MD5
e1129556210c0dbe058cd14e3cc2c2b4

SHA1
e1dcc203916fa7b2fe79c38cc905c7ea4a273e29

SHA256
4717797549c438a815bc0859dc829131354d5018cd85481f99fabe32c66d8fa0

SHA512
4886703034a9eae511a5701005b737df5b292a2b1ae12f58704adc1a8057cae207d66100c518130429a40f4aa1714be133f39284c28c7633109207c823df3453

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
89KB

MD5
e6eaa59a9bf83822655e6b6ff91d928e

SHA1
ff8aae6f3a303aef42ba72d1df4d25f41bad9d86

SHA256
5c5fbf4d2c781d009b1f955a3aaf6a57f76197ade2fdccf93250b0f13323bc7e

SHA512
6b10c2f1af9e0e4d86ad2b3a35ca883dcd1f8012ff6bbfa02f543dd9d0773af48046f52f983a1e3e613203fc91ab181edfba8a0ddf921b105a101c635c4c77a0

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
89KB

MD5
d87b9ebe266cff9b1371cc662713365f

SHA1
181361725672f2dc8709db5b3d1fee1cc90b14eb

SHA256
de945d4f219803ae146fe93698b652bdd2bcd328b493c931537ab36698af93ac

SHA512
ca54714889c626512568d454de57fb95195f333f872d0f63391e3ce2e2120918118b9b382cba91570e74ad3855d134aac1fce03ca981c896918d5264390be4be

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
89KB

MD5
dda44ceb633d8a7cf081bf52eefb4d7f

SHA1
de3aa7a1465619a9c675c1c2bc95c351200d9ffe

SHA256
52b543366f487d227edaa7498f490965cd71ffe84d89c9d78d22eb61b4b5a22d

SHA512
4c80b43e2835933a301114bec49b6e79ecda7a22195188375372be422b67c396edeceac414f28625145cae1ee7c2c4e8ce0760ea95a3fd7319940796f9a5bc5d

Download Submit
C:\Windows\SysWOW64\Dhkjej32.exe

Filesize
89KB

MD5
6de5a6a52f2dabcccbbd8732846b9a7e

SHA1
99636e2766a2fbfd6acbd814c1682c143d941c0f

SHA256
de2f643e2e2177ba748932f1d549d4d83c7891d109a3b103568141eec311ec08

SHA512
e86ce0c1bfd2c654746ded80722b1fc76afff828161fba8e76173ae13aaffc1c1e13ec77c9166f486557fa29cb236b6e62a37108a27d403bbe5ef630b9c0846c

Download Submit
C:\Windows\SysWOW64\Dknpmdfc.exe

Filesize
89KB

MD5
960b9bd12f6755fe0e4bb96fb2935ff1

SHA1
1ffa8cd28157e24d49e0bf5ed5ee382d3404c713

SHA256
ee9757ae40ab272ea7adf6aaf5ccf92b1d728f9ca5f4cc0df1d33646a214d569

SHA512
8b6d17ee61daf5c2fd1925c70d566642472a891b53d8452bc113dfc1bdf5d14cb61fc53aff855593a6bee96adb37a374f576e7a9c771e728aab3a5d365caca8f

Download Submit
C:\Windows\SysWOW64\Ehfnmfki.dll

Filesize
7KB

MD5
ce1c61b8ddd05dd00b54326eeb36a85b

SHA1
13ce877fb839da2d6388f69acc5ee8ff11917a1a

SHA256
2be7ec94ec82ce8eeb4d9777a754e4d43990d2b7ce3597f90071b56f4122f922

SHA512
12755275395553410c76310b5fb5a93eff5f95bcecdb7af18ea061fe6fe79ae5d7ae00f4511b7ee02eea89f38aed124f65cf9d2632c4c3fda5fcc51db00624eb

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
89KB

MD5
8297b06a2121b9fb7abb3664be88ee66

SHA1
29fc49606083817f52f7c484753bc082a3d7b797

SHA256
be611e1c24850cfbdc2e8a18502fd843a8cb11172958e01d312948b202d8c8cd

SHA512
448cb3fbf1ca561dd00229e6bf5071913033a767a7ced00d451bdc8c05988a8bcefa880789ce2ce800e09c8bd9db9889cf355e7c46319bcee8016bdbd1c94ce4

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
89KB

MD5
bf189907d180e9ce22f69c20a15b4402

SHA1
553ed190f9fa3c8ddcc8631126781f8afe6f8951

SHA256
32afde6347f4fb1d06b28151e6dfa7a4d9e422794815afc4811235e68e1611fe

SHA512
583e914a374a92273feb93216b10dc7ea02c807679438e479a95b6b27f8b533db17a5c1cd46d8eaaac2f4851bcbdc232bbaaa06b90601bca3e7c0d216c2c911d

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
89KB

MD5
27fff3d50febb6bf8cac34f449b10fe2

SHA1
307cec07edafe1f740d4602c3e3319918ec84f89

SHA256
def05e769decd88302882e400e9844e49c653b998493da9fb5f2f5148a6b2030

SHA512
5c443585d41a1c93ce619809377dee4b8b1802f4e619da83bc8d2dd8289d9a9ba171fca1e9103a95ac1e0afb8bdbe8a83d2e7a08a2185525932c0f638df0555b

Download Submit
memory/372-292-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/372-361-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-326-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/540-251-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-233-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/628-312-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-340-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/668-268-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-179-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1292-90-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-214-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1448-298-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1556-397-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1864-369-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-213-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1944-125-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-169-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1952-81-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1956-411-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-320-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2224-389-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-71-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-160-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-285-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2400-354-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-424-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2432-355-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-232-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2500-143-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-222-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2548-135-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2628-305-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2628-223-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-151-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2656-64-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2780-418-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2956-390-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-89-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3056-8-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-348-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3060-417-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3208-47-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3208-133-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-306-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3300-375-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3544-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-0-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3624-79-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3628-383-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-31-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3676-115-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-267-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3728-180-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3748-107-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3748-195-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3772-368-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3772-299-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-116-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3920-204-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-124-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/3952-39-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4088-362-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-170-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4296-258-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-192-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4340-276-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4356-319-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4356-242-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-259-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4480-333-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-152-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4488-241-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-23-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4492-106-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-403-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4500-334-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-16-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4576-102-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-341-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4840-410-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-250-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4880-161-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-277-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4924-347-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-284-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4928-196-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4984-382-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/4984-313-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-142-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5028-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5040-376-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-205-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5052-291-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5068-404-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-327-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/5096-396-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads