10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe
Size

89KB
MD5

8de41bbdce4a49c750b0c074613e574d
SHA1

a05923b643f94aff7efb2681e182003656ca5568
SHA256

10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c
SHA512

0fa8549c0db4dfa8df8ff54d5e0f29fb43410c7f5843cc60dc7575f138ecd54e4264f7f0ce28627512d4268d7b934f8690f555b60c55e4af097e201305a7516e
SSDEEP

1536:RL4ODRnsW5VcN4LB2Ync0odbmsCIK282c8CPGCECa9bC7e3iaqWpOBMD:GODRs+VcqLB5nEdbmhD28Qxnd9GMHqW/

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe

Executes dropped EXE 64 IoCs

pid	Process
2732	Andqdh32.exe
780	Aeniabfd.exe
3708	Afoeiklb.exe
1896	Anfmjhmd.exe
3504	Aadifclh.exe
3380	Agoabn32.exe
2772	Bjmnoi32.exe
1428	Bmkjkd32.exe
1524	Bebblb32.exe
2600	Bfdodjhm.exe
4448	Bnkgeg32.exe
3572	Baicac32.exe
4068	Bgcknmop.exe
4504	Bnmcjg32.exe
2480	Beglgani.exe
4520	Bgehcmmm.exe
1532	Bjddphlq.exe
2388	Bmbplc32.exe
888	Beihma32.exe
2860	Bfkedibe.exe
4108	Bjfaeh32.exe
2652	Bmemac32.exe
2428	Bcoenmao.exe
2656	Bcoenmao.exe
1004	Cfmajipb.exe
4320	Cjinkg32.exe
464	Cndikf32.exe
4396	Cabfga32.exe
1236	Cdabcm32.exe
4820	Chmndlge.exe
592	Cfpnph32.exe
2824	Cnffqf32.exe
4028	Ceqnmpfo.exe
2088	Cdcoim32.exe
1432	Cjmgfgdf.exe
4536	Cnicfe32.exe
1368	Cagobalc.exe
2340	Chagok32.exe
4580	Cnkplejl.exe
2116	Cmnpgb32.exe
1260	Cdhhdlid.exe
2672	Cffdpghg.exe
1348	Cnnlaehj.exe
4440	Calhnpgn.exe
1396	Cegdnopg.exe
4256	Ddjejl32.exe
2528	Dfiafg32.exe
3392	Dopigd32.exe
4352	Danecp32.exe
4260	Ddmaok32.exe
1960	Dfknkg32.exe
4112	Dobfld32.exe
372	Daqbip32.exe
920	Dhkjej32.exe
4532	Dkifae32.exe
1528	Dodbbdbb.exe
2348	Daconoae.exe
3780	Ddakjkqi.exe
4596	Dfpgffpm.exe
1148	Dogogcpo.exe
4228	Daekdooc.exe
3524	Dddhpjof.exe
5076	Dknpmdfc.exe
4452	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Beglgani.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Chmndlge.exe	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnkgeg32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bmemac32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cagobalc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4956	4452	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgmnjcj.dll"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beihma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2732	1592	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe	83
PID 1592 wrote to memory of 2732	1592	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe	83
PID 1592 wrote to memory of 2732	1592	10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe	83
PID 2732 wrote to memory of 780	2732	Andqdh32.exe	84
PID 2732 wrote to memory of 780	2732	Andqdh32.exe	84
PID 2732 wrote to memory of 780	2732	Andqdh32.exe	84
PID 780 wrote to memory of 3708	780	Aeniabfd.exe	85
PID 780 wrote to memory of 3708	780	Aeniabfd.exe	85
PID 780 wrote to memory of 3708	780	Aeniabfd.exe	85
PID 3708 wrote to memory of 1896	3708	Afoeiklb.exe	86
PID 3708 wrote to memory of 1896	3708	Afoeiklb.exe	86
PID 3708 wrote to memory of 1896	3708	Afoeiklb.exe	86
PID 1896 wrote to memory of 3504	1896	Anfmjhmd.exe	87
PID 1896 wrote to memory of 3504	1896	Anfmjhmd.exe	87
PID 1896 wrote to memory of 3504	1896	Anfmjhmd.exe	87
PID 3504 wrote to memory of 3380	3504	Aadifclh.exe	88
PID 3504 wrote to memory of 3380	3504	Aadifclh.exe	88
PID 3504 wrote to memory of 3380	3504	Aadifclh.exe	88
PID 3380 wrote to memory of 2772	3380	Agoabn32.exe	90
PID 3380 wrote to memory of 2772	3380	Agoabn32.exe	90
PID 3380 wrote to memory of 2772	3380	Agoabn32.exe	90
PID 2772 wrote to memory of 1428	2772	Bjmnoi32.exe	91
PID 2772 wrote to memory of 1428	2772	Bjmnoi32.exe	91
PID 2772 wrote to memory of 1428	2772	Bjmnoi32.exe	91
PID 1428 wrote to memory of 1524	1428	Bmkjkd32.exe	92
PID 1428 wrote to memory of 1524	1428	Bmkjkd32.exe	92
PID 1428 wrote to memory of 1524	1428	Bmkjkd32.exe	92
PID 1524 wrote to memory of 2600	1524	Bebblb32.exe	93
PID 1524 wrote to memory of 2600	1524	Bebblb32.exe	93
PID 1524 wrote to memory of 2600	1524	Bebblb32.exe	93
PID 2600 wrote to memory of 4448	2600	Bfdodjhm.exe	95
PID 2600 wrote to memory of 4448	2600	Bfdodjhm.exe	95
PID 2600 wrote to memory of 4448	2600	Bfdodjhm.exe	95
PID 4448 wrote to memory of 3572	4448	Bnkgeg32.exe	96
PID 4448 wrote to memory of 3572	4448	Bnkgeg32.exe	96
PID 4448 wrote to memory of 3572	4448	Bnkgeg32.exe	96
PID 3572 wrote to memory of 4068	3572	Baicac32.exe	97
PID 3572 wrote to memory of 4068	3572	Baicac32.exe	97
PID 3572 wrote to memory of 4068	3572	Baicac32.exe	97
PID 4068 wrote to memory of 4504	4068	Bgcknmop.exe	98
PID 4068 wrote to memory of 4504	4068	Bgcknmop.exe	98
PID 4068 wrote to memory of 4504	4068	Bgcknmop.exe	98
PID 4504 wrote to memory of 2480	4504	Bnmcjg32.exe	99
PID 4504 wrote to memory of 2480	4504	Bnmcjg32.exe	99
PID 4504 wrote to memory of 2480	4504	Bnmcjg32.exe	99
PID 2480 wrote to memory of 4520	2480	Beglgani.exe	102
PID 2480 wrote to memory of 4520	2480	Beglgani.exe	102
PID 2480 wrote to memory of 4520	2480	Beglgani.exe	102
PID 4520 wrote to memory of 1532	4520	Bgehcmmm.exe	103
PID 4520 wrote to memory of 1532	4520	Bgehcmmm.exe	103
PID 4520 wrote to memory of 1532	4520	Bgehcmmm.exe	103
PID 1532 wrote to memory of 2388	1532	Bjddphlq.exe	104
PID 1532 wrote to memory of 2388	1532	Bjddphlq.exe	104
PID 1532 wrote to memory of 2388	1532	Bjddphlq.exe	104
PID 2388 wrote to memory of 888	2388	Bmbplc32.exe	105
PID 2388 wrote to memory of 888	2388	Bmbplc32.exe	105
PID 2388 wrote to memory of 888	2388	Bmbplc32.exe	105
PID 888 wrote to memory of 2860	888	Beihma32.exe	106
PID 888 wrote to memory of 2860	888	Beihma32.exe	106
PID 888 wrote to memory of 2860	888	Beihma32.exe	106
PID 2860 wrote to memory of 4108	2860	Bfkedibe.exe	107
PID 2860 wrote to memory of 4108	2860	Bfkedibe.exe	107
PID 2860 wrote to memory of 4108	2860	Bfkedibe.exe	107
PID 4108 wrote to memory of 2652	4108	Bjfaeh32.exe	108

C:\Users\Admin\AppData\Local\Temp\10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe
"C:\Users\Admin\AppData\Local\Temp\10a132d14245f6fd77da75b34ee343f19cb9b96593112fee6f39f661cf62313c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Windows\SysWOW64\Andqdh32.exe
  C:\Windows\system32\Andqdh32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\Aeniabfd.exe
    C:\Windows\system32\Aeniabfd.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\SysWOW64\Afoeiklb.exe
      C:\Windows\system32\Afoeiklb.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3708
    - - C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1896
      - C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2480
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4520
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:888
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4108
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2428
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1004
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:464
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1432
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1368
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2340
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1260
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4440
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1396
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4256
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4260
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:920
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2348
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4596
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3524
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5076
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4452 -s 396
        66⤵
        Program crash
        
        PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4452 -ip 4452
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
89KB

MD5
d5b837c5ba9f579fd91f91ecade1bb95

SHA1
58e2502cb21b363c5aceb4134524ee76ab78ba72

SHA256
d901716da2cba44ea27d06093d7b1a6c48dae53277dd8cf7f2a0ab67a9d7280d

SHA512
9d880ec092d52ffb9d446772c68e3fa5359af50cd7cfebb64dadd0e6cb448d442ae3d03af725d982f9754e3c27481031b295845a5efec846e7a07d63309896d1

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
89KB

MD5
f8a2870ed6c3ef541db8050898b1b7e4

SHA1
8708a8781f5b69b2463a74db15ad7f30dfeb3c13

SHA256
4ba12b52fc341813e245f218f1e8cfbd1b2177164ebc314ac562e4acd92141fd

SHA512
96911da9a348f22146d1b526fed63674e6d05527a4d3806bb7156fd47cfd7dadba13040381dbce5599a1fc228d0b268617707e31eae01c8d7b07e8f1fc28d020

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
89KB

MD5
6359c3bd65456b4a24e9d0161288948b

SHA1
e1a0ffa5de9a5d3ace3a7148944564c6e5f38234

SHA256
7f95455e403ca83a2951ab3a317e4ffc6475bd11e7c3fd294702ea395d3775c9

SHA512
586748d27f620099f61fa4d92670e5337bae34cbb9b8278aa573bcd1cc401ddfa1e6ef63625d4022482997c01515bacfd9e76f9d7a92613ad2fa19d603eb2964

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
89KB

MD5
ac0b1ac6d28bb429980abe80cb626e54

SHA1
a9703fa382cfe3dc6555d5daa7d485142424391a

SHA256
17ea5306f6eee79134586e8bde408f7cb327b7e71a84836a181bc9b1a5063139

SHA512
8689d24b91a38093dee1af68f0c28b9bd93ca956187a67c954c47f43e79d3813b307e04be4b7f50dab5a6df824a0cc111e2563e8626b2701e67d41e7e710e65b

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
89KB

MD5
85615ef76427687b9c0d9c0dcd1e0902

SHA1
5a98089a9c2d98bfa6473fd2dbcc43be8b84f335

SHA256
f89f6d1f4c02533243ee60463a8f9a7945d9377bdd7bfeb46627988226596be8

SHA512
8a41a971561887319500f0d26d8c3b4e4e130a9d177aa3d51fbf0f7237ba27e55510cf6b81d6f404c3114e8b4fec8ae7c0d8b38c1923600deec8e9103a85f4c5

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
89KB

MD5
18f0fbbc6ba86365ba9799671c619630

SHA1
362047fdbd028bc606d05070356a7aec85a89a8a

SHA256
0a18de4ad82deb306807bce1657bd10e5fbb804aa0a5a9e02d7c3a9f170dbe4a

SHA512
aa90e1dab2f9a029e91de576b1ef7558bc6f279400074b8649169970a448417d75f6c8a5383d408e884cd2ae03a8faaf5b41f5db96e971215368857cb1d1eb25

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
89KB

MD5
0836d2c18964678e9018238176c0def7

SHA1
d19e60115ce8293b87fcf4264b2d6f521866a561

SHA256
49ce01669fc318b6f85166a1493ecf299ab755b2b9f67081a8fbbac553997222

SHA512
6df26421949345b2a40e894a6af431a800cb2ff96d226f76a11d4cf429f7476dab0fafbd6fddffc75d82a51b3ac5b26f6be4f021c500be49844864391bb41cef

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
89KB

MD5
e7f0f759ad91ecb69dab5b76d6558e50

SHA1
dc6547575e4f76b7e21d17db872b123688eae8fd

SHA256
64ad4978bfe9b0ef0bade7c18238620a4ca601459a5e710d9eba39faec611125

SHA512
fa552a2dd3c45a304777e69f79895a457cbb1f005c32dd91363440970ef1fc11c6cd4f4ff2dfbd60f4781d20a06fe7ca308c93dbace389ee977e0a8755a087db

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
89KB

MD5
4eb10f476835667c4cb30c766b193710

SHA1
922eaefad00de7e9c81ef952cc083afff4d1c404

SHA256
9d7e897b91389179e74773c8ce99b93ac763b5c76c83a3e5f7b3e3ee6427a5ea

SHA512
357d4ebc0558acc359d14183ae1aaee66a63c7a7a7c9349400557ec0e232de685085010bdc51ca4247aadb459702ffcfaf7ec7496eab743d4d600bf731c86e45

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
89KB

MD5
658a025804b7c573524fbfc9d620a1d9

SHA1
952771eb413ae90410c15bfb278e0117a487c319

SHA256
34e4fe6350cfa3b432b6838ff9b394fa0d9dadc0022cb0f3e4e8fcf95dc9b0ff

SHA512
f0dcd27abbbef1c1bd64b300fa6bfc5ea9ac5a1fa7f5dc93f9f0a36e6d4af14eb7ca20cc0157850c35e463afcc683cb365015864954d2fcd36e159e7c6364b1f

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
89KB

MD5
a4d115d34e8e936aa50008d9497781ae

SHA1
7339660bd7e3fb39e1a4ae348275034990025959

SHA256
0fb81c80f45870f8527d17fff0c782995c77027b644e94cb42aecf8782096242

SHA512
63a86254b11cebf82349919b0ffad3a422f6e8675837eb80fe550ee7692572121cdcc0582bdc6d93959534cb3311d5f0e52d7c82653d5b17f38e829af00d2a64

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
89KB

MD5
8bc425ccb54d47739de8bcc2f9a5bb7d

SHA1
e8112ddcbc2eccf96a6cf7b1890d9d552d4983cc

SHA256
ccb1d37ae078823286f569664006ea98c05110248d210428b982ccc088c7403d

SHA512
6e73a62b59d4d0c369d9ccc5d107dde9b3897953878fe3704e3ab9f8a2fbde4e2b5ea55b751986a45af656d90b9e0ba07e3888cbd527958184c0614c569d67f6

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
89KB

MD5
1e67ec267e210097c628d39bbcf8a71b

SHA1
095d517152256b1354f0a33dedd212098e0c3b3c

SHA256
535cdf34fa3398938da11db4c7c5fade46163e7dc05bfdb12726870b16383aab

SHA512
9090672fbf35eacc8a418a3f95107eb791393d3bef19c660db42d503bf913b5468ee0f0f9dacc9371b8c26491dc9f93a995403a6ace706df810f863c91d9191e

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
89KB

MD5
2efdbb10d1b34c105bacea7a5cae41aa

SHA1
89ad9127ab88cfefe2f5aba21256baed7630d502

SHA256
380d2f8c9adc7bfa3607c23fdbbfbd3150da8782de9e6f5de361c20c10816dbb

SHA512
1c9fbb2bf0dc9a1bed57c1c31c32ba57211f2b10e9346676671c7fd13010ad1f96095258d899698966a0416601809ccf8741bd9fb1ab480f55a588201d552011

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
89KB

MD5
6d58dcda039ba3ab3d141411a2892e86

SHA1
31b85ac8c5f866ebd2a7fa27d3d9cf5ed848a640

SHA256
d18897576bc643cbfb1d02f85b21bb8003f7efb76a3098e1c72d4d73122ab213

SHA512
07992ef2c8466c74621b952fee5416d7c2b32f24beedba517b9923578bfe21ee06f136eb8c476257d5dddf47866e782246fc58295b79d96cd83a3b54caf98c25

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
89KB

MD5
6b78948337c15d53e109d7aec5f8e3ca

SHA1
1fb757c7034f974e323e909d22a7742b3c6bd778

SHA256
0e674944dc0bd4626b3c29c26cb59843859a9c3507c08e58b3a9515e6ce20450

SHA512
adb8517933344cab64632360f2b4fb6b8bc5a6a7aa606389048c57bf93ff0de2b9af9c62aaf19120b3f10beb7bff90d63b7582afd3e39aca70a8003c71748382

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
89KB

MD5
83ca9500b080a364554214db34f2d24c

SHA1
fca06083827ee3a72ac659dcb5bfcd9896c03fd3

SHA256
16579e082310152cf2f826d04973be3f29f388c49041479a93a693cc548b9fc7

SHA512
2b33c1ccd4d398220321be829912df401c6b04d5342f59e699045f2e733c3bafd6376eaea42638fb56a681b8b09889a963b1c9f22fd806598830b59e34f8e85a

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
89KB

MD5
37835749fde01b86c9541669f72957ff

SHA1
1cb0303a8b179a5e30a98d78910b929e4309e401

SHA256
d066fe7eb889ae31370a844e6f0beab521d87e92094bbc6821b950a849c2d8cf

SHA512
87f7f7d8a90c46e80cda3fb936a5de35aa62dd3fd445f597b0089bfbaa2a0819e80cbcd2d09e93b689e463b967f5ea2d2da4d39b3dad3f58741532e6d5406156

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
89KB

MD5
ffd6b3ea19de367c44bd30d8d7ad9fd4

SHA1
745a15a41877da23ba3e304ecaf42f08dc806790

SHA256
dc88e79adac8aeed36207c31db6f1130c7e94e19ae5b7c529df44660d430962b

SHA512
093578e978120d7ad0fd107f253fb2a8cf037464c17c1695981e3ded7f763b2fc880d0f999ec0baf560cc2f942d4cf1ac9915184b77bd72d8e35abbb4fdfc738

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
89KB

MD5
b851468f423d666b07aeb52d8463450d

SHA1
e160d11705db9b7551580a70294e3be65e89b746

SHA256
e19d295e078fa2ad6848640dcf3b04e39063410c79fbf5e90c3a50ad00c7035a

SHA512
aad92a89ebb192392673acafbb138ac0e4548c15d92af2596c84591b666465da9f05d4c6ffb920765ded513b2d806dd8e867754f50b2418f0912c0c0a9962f9c

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
89KB

MD5
246a1620fbd48cb3ee4334de4f05dc58

SHA1
b13b199d97951fc8b69ff846d7680ae2c773e88e

SHA256
3ed4129ff95597133fef7370db650c881a2184c5ad9b0ca2ad8286b3c3c58e03

SHA512
e2e14dc2d32a59fe4d85356c906acfb7ab4370b8d82ad9115b243596589c38a16f53dc7963117884a9c0ee947eb516a2165ce55b3a3b959674ae301e74eca848

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
89KB

MD5
fb1a80987d675d14fa568699070ea6a5

SHA1
1857b9c229cd913cb5e8538d1f3a9353b6d2ad05

SHA256
4b1b80a2547d110b57106897bd6151fc1ab8f55dc045a55809e395c80d70c48b

SHA512
646ae4214e16cfce1a015023818d638f245a6aa708e61d6e7d0206ee8de1da1f6c297fbd2aba595c8750546b130310b78f33b7ea3ab52bf27ef6b32762aafc8b

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
89KB

MD5
15bbae934a937dfc47ad3c89eb37bf99

SHA1
2182be511bd5f68465d84e2367642e67191faa3f

SHA256
6c55606fee3ad3532d35ad36c39802fa3aa2675e1a83a6576f940983f345ee6c

SHA512
d59fd8f44dfa388729ec5eb009b869aca4911790fca5e3523ca3461027b01a89208f4673de3022f0234490a7857f6a3273ecf9f44870c897e3f247a665d049fc

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
89KB

MD5
1681ff66289902a2a41813e4c7545af6

SHA1
44097fcea38cead6fba6b3989fe76b8b4c166a93

SHA256
a33a8625125f27615c22d17a056bbbbc9aee20be82f2abe0762d0cf27be6b644

SHA512
075752a6912099e2dcf2cd9498e9ef69695faa98127f1f4502c893701629f77f8bfd726385a4c4362ac4af880726563d578e069093304fcd9b84b471735b2628

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
89KB

MD5
1ec9b655eeaeefc8d64afa35ca14358b

SHA1
519485e1286531146fca533fefddc0f638e732d0

SHA256
33e9506940821d62c772cadbe8e94a1ae7a47746ff00a5bc612b8a8803ca3af2

SHA512
ea9cf11ed088397b0059bca8fa0ac4fa1ddb33c914f5e7f55548846d134e65d4505368a30e9d40b06015812dd16dcc47a2b018f03129e8b0e2d4c0c59b3a5f78

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
89KB

MD5
e2e80dbafa68ae9c3f8d0743bd98dedd

SHA1
21b428c5d19fde426fdf7b361247df85862bd2a3

SHA256
3f96f64f14b4a47364f5dfc467e0ef8774e6256fce36cb6d66f1c09c9ef02f6e

SHA512
2b4cfef00b5627c3f53858591fe343057c3a7a2da5691c13a0766b8414eb1cf8214d318f90f5ff1928f6a44c78b2c4ec865c8a6e2744ad039e2c0e4bb6947d4a

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
89KB

MD5
8450a7d04afd12dd0acb0c91d90f1fb8

SHA1
3edf747fa2468d9f05e9cd25945cac32c117c89b

SHA256
ab1821a420fe5eeabbc041f5fbf6583880174abff47ef5f31a3177b15d114345

SHA512
a186c63b6033b94e3f7e2ac3e8295d5078bd8f5b9eb8a74889c4cafed62edc15d034b8232f2f8ddc9e88512c6d434e2e7c5d5321de6f60cc9419af0512cfa346

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
89KB

MD5
e03920f8c48a7dc053921814a3f11a7c

SHA1
a56ee42fc77c2675c9d4c32a97be641f131463d1

SHA256
b9513d8b11f14cbb1fca8305654e6b078300c7a7b6a1a09317f1984f16ee6bc2

SHA512
70f2de9a503aa2e6516e3fd6161a25438d878fdb7d99132c4c6007becb79f506875f82d7cdd2645206deb10bc461ea10401e77e7de3f14d143547bcdaeecefda

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
89KB

MD5
3c5ba972da14fd3c91054bc5642d8093

SHA1
6598af1be8e60699cd86e71ef4bbcb8c383eaeef

SHA256
ca941043ded60f00b46e20efc779d4f8d2e684d617e0340b8d4d534aa82bb9c1

SHA512
6bb0d9296129c39eebe42107bd6adb286a1c09c8cb04fda35d70f38f7cba4433a6c3e9cc9ca17364b6c6b5a7c3d9eba863634abde4276f6047dc3786454cc0ac

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
89KB

MD5
49a899f6b0ce56655e8a087f0858c665

SHA1
f55576137842315812443eb6d494eca7638ec3d9

SHA256
81fb13eb4b979f5c99ff4938fbe6d9b38571c694ebf6671722db3602a1ccb28b

SHA512
bce18ab3e053b1c44a6545b66f271968d895a1ea4fb17af0c5c2f6a902f6b81abbd2a58f4f172690d7eafc25ab0ffdf5f99df75014f070ff711b79c766117a1d

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
89KB

MD5
574a92ab468a3d7a1c33fba4d4ca5ac3

SHA1
94c2fe9f2cc7c6d4b0d793a802db19945bb508a9

SHA256
bd0e0d6760d1c809f86e5a965b9a1a7256356401486ee9f85913a472045a0605

SHA512
b117ed8b7d52d24dc3f30fd230f6737b97a1dc1dcbf4271feb857e9a2ec7370c994ae3d2b031ccb2bae96cb7cd8d9a280a2929a248c1634d84cc611ffed78846

Download Submit
C:\Windows\SysWOW64\Mmnbeadp.dll

Filesize
6KB

MD5
8220d2697473a74c8554e778e0b24f50

SHA1
41e0a7e9b003dfd29180014c3c09422ee37f87a0

SHA256
cc74f026e79394bbf31ab6918b7e6e77f3c1487d7f772dcf6839387ba8b18c9c

SHA512
0fe40d132c08e90874f7b0747cfea44faaf49631a3a28ae2282406e4210ff6b7813920fbb5ea0d731270bb06c3b03abbfd4ead7f8eb029adc33033a6236293d8

Download Submit
memory/372-457-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/372-379-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/464-213-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/592-245-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/780-16-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/888-152-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-456-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/920-385-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1004-197-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-421-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1148-450-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1236-229-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-469-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1260-307-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-467-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1348-319-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1368-287-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-465-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1396-335-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1428-64-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-271-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1432-473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-72-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-454-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1528-397-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1532-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1592-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1592-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1896-32-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-367-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1960-459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-474-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2088-265-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2116-301-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-471-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2340-289-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-403-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2348-453-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2388-145-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2428-185-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2480-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-463-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2528-343-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2600-80-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2652-176-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2656-189-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-313-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2732-8-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2772-56-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2824-252-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2860-160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3380-48-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-462-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3392-349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3504-40-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-448-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3524-433-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3572-96-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3708-24-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3780-409-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3780-452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-259-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4028-475-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4068-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4108-168-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-458-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4112-373-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-427-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4228-449-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-464-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4256-337-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4260-361-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4260-460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4320-206-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-461-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4352-355-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4396-221-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-325-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4440-466-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4448-89-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-446-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4452-445-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4504-112-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4520-129-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-455-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4532-391-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-472-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-277-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4580-299-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-451-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4596-415-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4820-236-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-447-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5076-439-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads