59b0ac0aac6c1f042948e3ad88176749996c28c744b19de697e4da088c7f15d7

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d242612301f68b2efe5dd1462f059f20N.exe
Size

92KB
MD5

d242612301f68b2efe5dd1462f059f20
SHA1

712a7cee5a84d12dcaee7ecde420e52d4d041580
SHA256

59b0ac0aac6c1f042948e3ad88176749996c28c744b19de697e4da088c7f15d7
SHA512

fb766c6c7047e178ccc1368f24c68ffe644f9abec8a3d2789ffd9e376783466b95101be6a1c9206bb2430f95b684d059949b2fd331c26e6bc40069df6db9a537
SSDEEP

1536:o2oO4DC4XCCQLYVVNHor1R/CpqU5ddyjXq+66DFUABABOVLefE3:+O41m+zmHfMMj6+JB8M3

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe

Executes dropped EXE 64 IoCs

pid	Process
3140	Qffbbldm.exe
2332	Ampkof32.exe
3560	Acjclpcf.exe
2596	Ageolo32.exe
2448	Anogiicl.exe
4616	Ambgef32.exe
1224	Agglboim.exe
3744	Ajfhnjhq.exe
2484	Amddjegd.exe
432	Acnlgp32.exe
4200	Afmhck32.exe
2496	Andqdh32.exe
640	Aabmqd32.exe
1596	Aglemn32.exe
3996	Ajkaii32.exe
4696	Aadifclh.exe
4668	Accfbokl.exe
2344	Bnhjohkb.exe
3448	Bmkjkd32.exe
744	Bganhm32.exe
4984	Bjokdipf.exe
3752	Baicac32.exe
4300	Bchomn32.exe
4132	Bffkij32.exe
3596	Bnmcjg32.exe
116	Balpgb32.exe
2976	Beglgani.exe
2408	Bjddphlq.exe
1948	Bhhdil32.exe
3904	Bjfaeh32.exe
3388	Bmemac32.exe
3768	Belebq32.exe
2872	Bcoenmao.exe
2944	Cjinkg32.exe
1472	Cndikf32.exe
4260	Cabfga32.exe
1012	Cdabcm32.exe
1376	Cfpnph32.exe
3644	Cnffqf32.exe
3736	Caebma32.exe
3080	Ceqnmpfo.exe
4336	Cfbkeh32.exe
392	Cjmgfgdf.exe
4368	Cmlcbbcj.exe
3740	Cagobalc.exe
1968	Cdfkolkf.exe
3828	Cfdhkhjj.exe
440	Cnkplejl.exe
3532	Cajlhqjp.exe
2460	Ceehho32.exe
2436	Cffdpghg.exe
3988	Cnnlaehj.exe
2948	Calhnpgn.exe
1384	Cegdnopg.exe
3196	Dhfajjoj.exe
2936	Dopigd32.exe
1388	Danecp32.exe
3352	Dhhnpjmh.exe
5048	Djgjlelk.exe
1292	Daqbip32.exe
4920	Ddonekbl.exe
2456	Dfnjafap.exe
5008	Dkifae32.exe
3664	Dodbbdbb.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Kbejge32.dll	Baicac32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Fmjkjk32.dll	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dopigd32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	d242612301f68b2efe5dd1462f059f20N.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bnhjohkb.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3992	1972	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d242612301f68b2efe5dd1462f059f20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	d242612301f68b2efe5dd1462f059f20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lommhphi.dll"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3140	1344	d242612301f68b2efe5dd1462f059f20N.exe	83
PID 1344 wrote to memory of 3140	1344	d242612301f68b2efe5dd1462f059f20N.exe	83
PID 1344 wrote to memory of 3140	1344	d242612301f68b2efe5dd1462f059f20N.exe	83
PID 3140 wrote to memory of 2332	3140	Qffbbldm.exe	84
PID 3140 wrote to memory of 2332	3140	Qffbbldm.exe	84
PID 3140 wrote to memory of 2332	3140	Qffbbldm.exe	84
PID 2332 wrote to memory of 3560	2332	Ampkof32.exe	85
PID 2332 wrote to memory of 3560	2332	Ampkof32.exe	85
PID 2332 wrote to memory of 3560	2332	Ampkof32.exe	85
PID 3560 wrote to memory of 2596	3560	Acjclpcf.exe	86
PID 3560 wrote to memory of 2596	3560	Acjclpcf.exe	86
PID 3560 wrote to memory of 2596	3560	Acjclpcf.exe	86
PID 2596 wrote to memory of 2448	2596	Ageolo32.exe	87
PID 2596 wrote to memory of 2448	2596	Ageolo32.exe	87
PID 2596 wrote to memory of 2448	2596	Ageolo32.exe	87
PID 2448 wrote to memory of 4616	2448	Anogiicl.exe	88
PID 2448 wrote to memory of 4616	2448	Anogiicl.exe	88
PID 2448 wrote to memory of 4616	2448	Anogiicl.exe	88
PID 4616 wrote to memory of 1224	4616	Ambgef32.exe	90
PID 4616 wrote to memory of 1224	4616	Ambgef32.exe	90
PID 4616 wrote to memory of 1224	4616	Ambgef32.exe	90
PID 1224 wrote to memory of 3744	1224	Agglboim.exe	91
PID 1224 wrote to memory of 3744	1224	Agglboim.exe	91
PID 1224 wrote to memory of 3744	1224	Agglboim.exe	91
PID 3744 wrote to memory of 2484	3744	Ajfhnjhq.exe	93
PID 3744 wrote to memory of 2484	3744	Ajfhnjhq.exe	93
PID 3744 wrote to memory of 2484	3744	Ajfhnjhq.exe	93
PID 2484 wrote to memory of 432	2484	Amddjegd.exe	94
PID 2484 wrote to memory of 432	2484	Amddjegd.exe	94
PID 2484 wrote to memory of 432	2484	Amddjegd.exe	94
PID 432 wrote to memory of 4200	432	Acnlgp32.exe	95
PID 432 wrote to memory of 4200	432	Acnlgp32.exe	95
PID 432 wrote to memory of 4200	432	Acnlgp32.exe	95
PID 4200 wrote to memory of 2496	4200	Afmhck32.exe	97
PID 4200 wrote to memory of 2496	4200	Afmhck32.exe	97
PID 4200 wrote to memory of 2496	4200	Afmhck32.exe	97
PID 2496 wrote to memory of 640	2496	Andqdh32.exe	98
PID 2496 wrote to memory of 640	2496	Andqdh32.exe	98
PID 2496 wrote to memory of 640	2496	Andqdh32.exe	98
PID 640 wrote to memory of 1596	640	Aabmqd32.exe	99
PID 640 wrote to memory of 1596	640	Aabmqd32.exe	99
PID 640 wrote to memory of 1596	640	Aabmqd32.exe	99
PID 1596 wrote to memory of 3996	1596	Aglemn32.exe	100
PID 1596 wrote to memory of 3996	1596	Aglemn32.exe	100
PID 1596 wrote to memory of 3996	1596	Aglemn32.exe	100
PID 3996 wrote to memory of 4696	3996	Ajkaii32.exe	101
PID 3996 wrote to memory of 4696	3996	Ajkaii32.exe	101
PID 3996 wrote to memory of 4696	3996	Ajkaii32.exe	101
PID 4696 wrote to memory of 4668	4696	Aadifclh.exe	102
PID 4696 wrote to memory of 4668	4696	Aadifclh.exe	102
PID 4696 wrote to memory of 4668	4696	Aadifclh.exe	102
PID 4668 wrote to memory of 2344	4668	Accfbokl.exe	103
PID 4668 wrote to memory of 2344	4668	Accfbokl.exe	103
PID 4668 wrote to memory of 2344	4668	Accfbokl.exe	103
PID 2344 wrote to memory of 3448	2344	Bnhjohkb.exe	104
PID 2344 wrote to memory of 3448	2344	Bnhjohkb.exe	104
PID 2344 wrote to memory of 3448	2344	Bnhjohkb.exe	104
PID 3448 wrote to memory of 744	3448	Bmkjkd32.exe	105
PID 3448 wrote to memory of 744	3448	Bmkjkd32.exe	105
PID 3448 wrote to memory of 744	3448	Bmkjkd32.exe	105
PID 744 wrote to memory of 4984	744	Bganhm32.exe	106
PID 744 wrote to memory of 4984	744	Bganhm32.exe	106
PID 744 wrote to memory of 4984	744	Bganhm32.exe	106
PID 4984 wrote to memory of 3752	4984	Bjokdipf.exe	107

C:\Users\Admin\AppData\Local\Temp\d242612301f68b2efe5dd1462f059f20N.exe
"C:\Users\Admin\AppData\Local\Temp\d242612301f68b2efe5dd1462f059f20N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\Qffbbldm.exe
  C:\Windows\system32\Qffbbldm.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3140
- - C:\Windows\SysWOW64\Ampkof32.exe
    C:\Windows\system32\Ampkof32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\Acjclpcf.exe
      C:\Windows\system32\Acjclpcf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3560
    - - C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3744
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4200
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2496
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3596
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2976
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2408
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        30⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1376
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3644
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:392
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1968
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2936
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1388
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3664
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1628
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1660
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        72⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 404
        74⤵
        Program crash
        
        PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1972 -ip 1972
1⤵
PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
92KB

MD5
f8ac64b122d147ecf750e65a6215dd96

SHA1
62180d09f5d6ee507711aeb51557783e1c6e68ed

SHA256
2759a8c9c8035da8fa8b48b46be33f03f867b175ef23996fc9b197d9ee64d9d2

SHA512
804911512fcaf8a8686726415252e208a2dd8e14b7bbd3d6b3506275dc0affd0ea0228110ce055ae8067769a2ce101f3b2d369d79df16b25caee2060e7d6cf3c

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
92KB

MD5
65a682bd39935caf0ca733be4e1e381d

SHA1
b017a2be15c02bb8463bb97f769ea0e419c18197

SHA256
aede468f97e8d77027e975d7f0575f1900b07e069c62892f4c61163f5e5104f5

SHA512
78f0c2ef43db79bad26bf396644ca408d921a06933759841a96461b705110b39ac792f117056ba6ee38c59efe22894ae90ee6976df80556944bb6c8d2dd833e4

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
92KB

MD5
ec127bbd7c98fa36557d6d4bbedadc30

SHA1
2486f2f96e543f94a26138f657eb8d6471baa0db

SHA256
84d2901af7d94b976199d41214a93fe2adf2ae4b82551c5bcb313b1de519a939

SHA512
a519655608e504d7d4a9bfde9207fe8bac3808079f55c850dd226a4c61a3a3a0f27b1b0c8cc600aa7e8b1116a48eed304f0c4cc17d0f148e693b94ee51dd3b88

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
92KB

MD5
8d4502a7ee6eb1179988e3ea2f087dc1

SHA1
c3aa2e2af5a50cc5eb03e4ecf3a5e864aeafb13a

SHA256
841053b8c817112cc4e0f393ab1b649002c802b4cddd43eb950fd897a0b301bc

SHA512
4b26cf1f28c230b4c443a2850a47d915b850f204a4e5107499cc495ccd4e8c2a59f0d64d7c1d6744700f1f70db59ddef5d124140a6c04aedcaa09310f217dd4f

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
92KB

MD5
3cc159d0c68fe2c30fd3c5953bdc30ec

SHA1
70ed7ea604d685aaf1b7cd523483b5e925c39e2e

SHA256
534e8d1764c808ef3ead2c9351396c90499469eea6f1e6f1f7658ca9ca78b540

SHA512
2d38c38a3ca8274e8cf2b9ee54f3c1a21c3b82613be5cb2bf35039320d3a7f79beb8ffa79afc22967aac46deaed6548c81c0a312a1e94cba7d35683ef8964dc5

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
92KB

MD5
1d8dafed27b4f9aaeda1166d8d9cd881

SHA1
04a788b99fc0d611095751bd25a9fcfaf1233ae0

SHA256
d9e1614d8229ec014bd5cc76d8b03c048fe7c714b8e86d5cc540c28bb9233552

SHA512
d10b93d9528b255bbabee07161e1d29bdcb325dfeeee65d0e1275f47e4ae982f548a6ea56c8dc621434baaf48f4dc7545b958929075794b4cb2dc5e209bb4d41

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
92KB

MD5
82ed4e81137666cd8a833ea66d470d98

SHA1
97d64fe039be7fe68f161ed43d44aa8792d5890f

SHA256
5566ee928243e999c2a330065576660f850c3a0b6c6c9fddb41df0d9f8192f84

SHA512
021accda7e35c27215dd74cf484d1a47b230c710031666b937fdf8a1a5530aff60963a653d76024710e5a5ca3a57e4a95ec062f866761f493422dbfd31c2c2a5

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
92KB

MD5
3378748539d7f0743036c35c1f3e1b11

SHA1
56771a6931807ee9a22da201f546bbe8074416af

SHA256
a8b184128d3288122f42033f781080c1b9d3a26d5c2b21e08ae4f468959bbe6e

SHA512
cbad30c7defd2a44f65eaa986b206d6bbc0e4c693dfb44825b6db1f8a9fb5387297342458f1dc50ec653c815c32e7cd2ed01410b1a3b739e25a3e2103f465f43

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
92KB

MD5
3124e015e228a57dac82a5b1e89627d0

SHA1
28542b7836541709f7014e91723fa0efa196977b

SHA256
e113840237b2cfb92541ba91ec366cfb877b035a71f9af7301f1871fca4f385c

SHA512
d5e89fdf4311dfd30939176173a14cbfaf71c52fec6aa3eef518c0c2b021b858c117eb20a392aa5b3a340bb15bd7c354c35daf64df7f43f757636515b75d2de6

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
92KB

MD5
b78e104edcbf6797e4bd8dec7225ea87

SHA1
0e790b88fa12784e75c109ecc3bdc03d8845a316

SHA256
e232d06cb27a339fa94090ef1635abfe9f2a9bfd62627129cd706ba9192c01ac

SHA512
5e1d18aebbf8fa4019f043e4e863cafd5750126267251184a8cb1e6497f9768c3f70d30ae5bae8c5b221e89de853143717c1cd74ff73986256886a79c9035c1f

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
92KB

MD5
d8294c88f2c555774596052ccffc0207

SHA1
f05f7973c448f3bd488de31549572250ebdfdf4b

SHA256
edbcfc53f1fd8dcb9a345a382d64e8e274ea726d60ee1348f2977343d9bf9aec

SHA512
00936d9e6e98bf71716b3658b9eb2156a6a7511f5dde01869b2e75b8781e1f3418726a9913747cbeb1e9915061cbfc123100b0aca4b3ab53866828e84ef67fe1

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
92KB

MD5
3e44f7e398fdc3e4ffe1dda43348a549

SHA1
9c1c33980b3ce8e00147ecb298403ba64b651e93

SHA256
b841cd931779a02680bfaa8e162d0e6e86c1ae054fcda29a6a4fae6dafef0bc3

SHA512
7e92f74b55874dbc5206158f6519cd480f2bbff4ffc420281a18da0b47ed959f96b685d05cd453d047858507ca4425c32813b3d6d039f09b6fae62ad66d7d80f

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
92KB

MD5
51fcbbba38473a59c58486aae638600c

SHA1
5ba9893d7b727ff359eb190314f85bab4dabec82

SHA256
24bcacafb69542f11ebdd10d7f2c14d8565fe739b5066b922e866bbfb67cb01f

SHA512
85153044733dc5c6b621c5c2518e02fa99919b659bd3517d01caf6775fc340eac34834d35125d597b2ad2082c38d0ddf3333558bc98d4c3304b9a4bb8b356108

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
92KB

MD5
e240d1e0eacb2d2c2cd2aabd59890eee

SHA1
4cf9d09ea6927d088c51a369343b109255e4768f

SHA256
81e13166915cda05de7d465e14b390f50a4c2d2d60088eac7a84fc09604e1727

SHA512
b6eb20fcdd03efc5795265332c73146a9e22fdd9940d21877f20388a26d8d7796c0a7bf0f225cdb42a22554faf5c8a11ae7de6ab745ca3d2fa8a2fa38e681991

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
92KB

MD5
3d75382f79ff66dcf0b893a7b11b4537

SHA1
8050914ea5b551198f36619181719a04594d5514

SHA256
d7f2360dec2e4023698fbb40ca98f3faf236668e3de39f84670dee157c5c9f8a

SHA512
e455e357e4807cd9f866cc23c75056e73ea975d8b87869947ed52a282525d0ec9432051b861b2cfe92dbc4f7bce0fb408f3e8af7a8e942136ec321a7e8f8f12c

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
92KB

MD5
abca53f4f73d29f54015e5d19774fd05

SHA1
de77ddf0366ed71f6371837300f6b10d1badd9aa

SHA256
88c4ea2ed5b218f145379bb06c8b6aeb0ad6b9643a8c2a619ee240a7546fe035

SHA512
8ce90ee04040c86b6337772c8b6d2bbe6dd3abdb4ffa8528c5f8ae9c253e59157a1f607c069b4383a972d0fe6134a216501463e9f4abe80042fe9a1297432e7b

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
92KB

MD5
878d1a9ea129a5cc5fced8276bcdf9fc

SHA1
8cbdc84339fe59acb087d570893e731f938ddc08

SHA256
906771a710af093563180dcd7ac412d8e03bd2ace418d841c7dd39b84bcb516b

SHA512
a3982d8deb2841cf8027f8918b549ed5c95d5472d25107ea73e159c90a05902d98738cdf925bb6c941894aba514e1f170ba6bcfc7b39c3d4a807d52a6ad167f4

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
92KB

MD5
a274e47f87ec7b15e1daf91cc1e9448a

SHA1
18c8cde3605a877751004dee6c9e8f8512af3f7c

SHA256
8c00c2f8500f18576d5e681f83689fe7a8bab90cf801347ccaf32cad5ef59961

SHA512
7028724a6b10b2b23557bdbe737c87856fef3b42a17ab478b46e7412fbec9a92c6f1ea0b8be2ed5247d5488a5404a2c578a7947f38b03efb6858dfc56df421d2

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
92KB

MD5
354b3b96cc561a6ceea3eeab873429d2

SHA1
7d9210cf0b24d368b57ff21c65ad3cf7f41db995

SHA256
f546a2c119fa65f560193fbd26803452173aad9f28256e40bb3f93436399116c

SHA512
d572cebadf2edd8af6a15ae1a8e073f2003e5290249ff35b8fe42a8b70f5e095037992ee3a30c44e7bbdd1f3f29d62f0d90febd67ec92f95a52fa82f75f5cea8

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
92KB

MD5
86f2da43d818b0c0ca46d558b78b6599

SHA1
b582dc5bee98ab7b7b68c2ad220bdaa4675bf5c8

SHA256
feff93667e6cf663576e41e2a84b39ad555ad90b5e3aac282ec33099e41019ad

SHA512
a63973bc656bbc2c29b97bdedb26c8d74b56ff2b92c3eeeb25806bcc9ffe6afa2e0d581777d97cea4c9bce592e21e39d3bd7f0a4508e51ea69e9fa684f47d726

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
92KB

MD5
519981f2bae55c81348d8041d47f2733

SHA1
4e6aab78eb0fad6a7fd3a727c99677ba91324842

SHA256
85d17b6796025d4abf4f720115ca3826af718b25fd41dc47b433b0d2429185a5

SHA512
92a67d7821a1d18dd4f268c76f35a927fdc32ca8a05a2f190e9860eadb386ff6cbecc20527cbdc4165292123ad693f7a64e6891383595428daa08d9617ff4be5

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
92KB

MD5
23c2560d88a55d41056c0f99193963a7

SHA1
2a6eac624ca9f03161c375ece70000d93cff4504

SHA256
d5cde66f2b03eb8f52ddf8be62c1a622e990213832b53115021a14cbcf7253a1

SHA512
66712d21f1e56b4cb4d3bbc7a17e19d788006d70503a9371854f4e777134c21b54423534903e988178baa7b3704356df6262b2546a20557c0aa9cef20921fb99

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
92KB

MD5
cdaa3fb2a11fc4c7da1cfde7921e7975

SHA1
79d294640c0a5854b7755ae470bbbec8fc7e3584

SHA256
89f739a44a4c935ae6221f89beb88f20aa06df0f6183d245b1368014c700bab7

SHA512
fbf5da522c68981525e2cb7bcd10e2a9035f9178dcb9f965198316fe7f7d32d8f773a9c9b341483f2280d3319e7e818a05455291da7488eec914a8748c426ec6

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
92KB

MD5
a70472457f44a92dbb7d9b2543f3843a

SHA1
19c39ee91516e3349e770a6460b664305c9cfeeb

SHA256
ad52990d8e47bd84c2363ef125610fabb9aefc68e4c1435c2f18fd9d1dd86562

SHA512
2c3521d50c153b928668d860c5036f18b429d3f6c05b7c0ea7680f5e455e376414930651d4df2aca9e98809da37fe9fddc1cc6c957def63ddd730877e25dcd0d

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
92KB

MD5
e18a784ad9546976017ba9217e07f684

SHA1
b7308041cf77d0df7604e7fefa9cf8e176920321

SHA256
49d9b5228711dd451e89d3b48b68307f2da39430e11787e4fc5ee3a1abbc5a56

SHA512
c1861a93aba1ede66fc6765efbd1473833c617c9a382ad1ddbfc7659d2e7262ecffb922023834a5b7ada64a26f92c1163cae7568c1607fdde32c150b51678002

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
92KB

MD5
b2f6285341468bf8cc7a3be7f217a47c

SHA1
33c7a11f187a55bd5a79f59f413d8ee2c013fa5b

SHA256
d17a46ae050840fce17ebdbf55efd2a005b292940b99ec4571566ecbeef8c1da

SHA512
07b7ca373098510d3c1d75f775aa787c57ec14b05e3241ca0de7e93f23bf3d79f418d45bed71ab3bca649ce4c0f48e172177185ce4decfd442e843955dedd5a5

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
92KB

MD5
bf8b04784acfcc3696c118c232e5d203

SHA1
578edc825491ab3d9cd60e5a22e822a9de121e09

SHA256
ff9b9b214902aef93b45af39ca3e2506454371d117e536a709ed7fead351da96

SHA512
3488f5b755abb4f5712bd870c5882e69585a347a5ba7f80eac5287315ca857e34f238979ff5d72d669b48fb928716d80888ad17b2956d0589e842a0c3443d385

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
92KB

MD5
d5961f30d0dc5674e4cd97b322b7d354

SHA1
9e268c859a5ca73a03cdad83de5ffa37de5458a0

SHA256
8942587a6e200ec303aef627e08da8bed871e707d66930a56eb3ec3843c9fe45

SHA512
a8e6a8fa13a18dfd372a9c5c54f9fed0e87febb9a56689bb7b190b8bf79e4463e274a655bb51410bf2875d98b39fc509c490eb27e5aa0bd901551630554384a2

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
92KB

MD5
b635cb64ac0ae686a5324728b0fd20fe

SHA1
16efaad7ebeeb47296aaa3a0631af202d467e450

SHA256
8a24c16eed8fd375f2b123525002a0539e337e694cb963d9f8003b6de0a59399

SHA512
b6b49212c19936c5a289de69df14307e11890e9fdd8a83e0cb53d8ab53e1a52e4715856f55237668b6eb845ce309000864e68dafdf56858e70ea4a1efedb7b4c

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
92KB

MD5
5049ecb04d47fe3650c345ac9559c854

SHA1
684bfeb29b244348e39036efa9790651a8026a8b

SHA256
a4ef1565f3ed1a3b4728676438ce1b78c784f6d4dd337ec871d296dca32f5674

SHA512
a757d723beae2f9761ac2e1818436fedbc579a28221f5dd3d91cc577ff219cec9c6c39271b426a6c1bbc708ba8cb3884d941d8dc96a5334badbe4e1617192fb7

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
92KB

MD5
9d4186dd082a3b47a0211d051e25e4b6

SHA1
bc892a3b6184dac36f105d60b95639fe9e3242a4

SHA256
2a33388672b02fc5dc5652615a370dd30d74687ad6122895bd3f8c64e260aa29

SHA512
b81e5d2932976110af178bcfe6ae41ead1faab52fa3fe74b338713a193d4129ea27087a63e59b7dbdab06df5182fde7f2fec9435aeaf2ac5fbabf835b0f2fd71

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
92KB

MD5
0c1fe37ac397c86ac8596cbe3802a4e3

SHA1
c20a8fa99c24464715552ae9442d76b034ac8665

SHA256
7d4274d47e667148334895cb7999ea74c6a91d9fd6587023b49be55ab47ee09d

SHA512
553fa2fe737c2d825b909641508d9613d14e28c7122f1d4a41a7be2e520df9a5c95d67acaa82227226cda038da29ee8ec1de8ab69dc5b98b2c6a86a7eee19a82

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
92KB

MD5
8a5cc50876551a9b5593fecaf3bc15ed

SHA1
f7aa4ec25af5289765315773bc1278388648bfd9

SHA256
c8a594b40a5458c94b3d55a609e5f61538bfad078d3b387106acfe9727e79e1b

SHA512
d0a0419c49c31d1bc14678cd6d4a7f8bf82b5a3eb1741ef8c91515b2cf5a9a101261efb9c9184917ea0a27a0470e15bc3bc8748d320816be474f6975c0886d54

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
92KB

MD5
205c83c55195d2f5d2bad59456412bf6

SHA1
fd0541212ab0e70b05ab66944372fd6cbecfd1bc

SHA256
c45b6c4f45f40ed7e362589a38fcf6afa6a43ff8cc92410eefb2760c47259061

SHA512
28e80bed8c2f1f5c09ee9a24eeb2e05413c82e635332f8c037198644ccd56b340ed2fb4984ed913c5ab964e1537f69add3702d98f45d847c0f796095765b4656

Download Submit
memory/116-209-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/392-329-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-514-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/440-354-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/628-225-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/640-105-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/656-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/728-495-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/728-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/744-160-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1012-288-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1224-57-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-502-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1292-426-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1344-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1376-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-508-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1384-390-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1388-505-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1388-408-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1472-276-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1596-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-498-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1628-456-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1660-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1948-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1968-342-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1972-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-496-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2056-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-16-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2344-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2408-224-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-511-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2436-376-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2448-41-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2456-438-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-512-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2460-366-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-73-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2496-101-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2596-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2872-264-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-402-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2936-506-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2944-270-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-509-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2948-384-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2976-221-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3080-312-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3140-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3196-507-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3196-396-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-504-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3352-414-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3388-248-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3448-153-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3532-364-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3532-513-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3560-24-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3596-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3644-300-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-499-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3664-450-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3736-306-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3740-336-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3744-64-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3752-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3768-256-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3828-348-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3904-245-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-378-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3988-510-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3996-121-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4132-192-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4200-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-497-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4204-462-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4260-282-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4300-184-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4336-318-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4368-330-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4616-48-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4668-136-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4696-129-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-432-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-501-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4984-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-500-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5008-444-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-503-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5048-420-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads