14e853d76f47836ee81af5ee216c2be655c2ae5572f81e54fa15d657d0338e53

Analysis

max time kernel
110s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e237325d992fb81351ac39d13de79b60N.exe
Size

2.2MB
MD5

e237325d992fb81351ac39d13de79b60
SHA1

283976a1aa79c2f9eaa468cdeec03f3d6ded649c
SHA256

14e853d76f47836ee81af5ee216c2be655c2ae5572f81e54fa15d657d0338e53
SHA512

de46ec9dfe75a050a4aeab37f2ce0fa9f8d40aef5e5dcbe7475e5bf8cd0a4d2f601f75adca2352af90fcc0e9f47130a45d1ef7feb6b8a56e6cfdd4e7810cb8f8
SSDEEP

24576:dq5hM5Dgq5h3q5hL6X1q5h3q5hPPh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YNpsW:bI6BbazR0vKLXZb

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nckndeni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Npcoakfp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfhfan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfhfan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	e237325d992fb81351ac39d13de79b60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ojllan32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Oneklm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ojllan32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Jefbfgig.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jlbgha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdhdajea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Jpijnqkp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Kdqejn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe

Executes dropped EXE 60 IoCs

pid	Process
2904	Iihkpg32.exe
3632	Jfoiokfb.exe
712	Jmhale32.exe
3900	Jpijnqkp.exe
3672	Jefbfgig.exe
2476	Jcgbco32.exe
2960	Jidklf32.exe
4312	Jlbgha32.exe
1492	Kdqejn32.exe
3836	Kipkhdeq.exe
2432	Kplpjn32.exe
3556	Llcpoo32.exe
5080	Llemdo32.exe
1424	Medgncoe.exe
1428	Mdhdajea.exe
1904	Mpablkhc.exe
1524	Npcoakfp.exe
2396	Ngpccdlj.exe
1332	Nnjlpo32.exe
3504	Nckndeni.exe
628	Odkjng32.exe
4124	Oneklm32.exe
2748	Ojllan32.exe
3800	Oddmdf32.exe
536	Pfhfan32.exe
1452	Pqpgdfnp.exe
4772	Pdpmpdbd.exe
4532	Qnjnnj32.exe
2444	Ampkof32.exe
2012	Anogiicl.exe
4324	Ajfhnjhq.exe
2296	Aepefb32.exe
3944	Baicac32.exe
1668	Bffkij32.exe
868	Beglgani.exe
1696	Bfhhoi32.exe
3668	Bhhdil32.exe
3732	Bnbmefbg.exe
2384	Bcoenmao.exe
3096	Cfmajipb.exe
860	Cabfga32.exe
2264	Cfpnph32.exe
3240	Ceqnmpfo.exe
4360	Cfbkeh32.exe
1040	Ceckcp32.exe
3448	Cjpckf32.exe
3908	Cajlhqjp.exe
4292	Chcddk32.exe
676	Cnnlaehj.exe
3356	Ddjejl32.exe
4744	Dfiafg32.exe
4872	Dejacond.exe
3680	Dmefhako.exe
4232	Dhkjej32.exe
2144	Dmgbnq32.exe
2600	Deokon32.exe
964	Dogogcpo.exe
1860	Daekdooc.exe
3088	Dgbdlf32.exe
3204	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flakmgga.dll	Iihkpg32.exe
File created	C:\Windows\SysWOW64\Lgepdkpo.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Bmhnkg32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfmajipb.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Memcpg32.dll	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Jlbgha32.exe	Jidklf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Igjnojdk.dll	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Adopjh32.dll	e237325d992fb81351ac39d13de79b60N.exe
File opened for modification	C:\Windows\SysWOW64\Kdqejn32.exe	Jlbgha32.exe
File created	C:\Windows\SysWOW64\Odkjng32.exe	Nckndeni.exe
File created	C:\Windows\SysWOW64\Gmdkpdef.dll	Ojllan32.exe
File created	C:\Windows\SysWOW64\Pfhfan32.exe	Oddmdf32.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Jidklf32.exe	Jcgbco32.exe
File created	C:\Windows\SysWOW64\Fhccdhqf.dll	Kdqejn32.exe
File created	C:\Windows\SysWOW64\Qnjnnj32.exe	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Oddmdf32.exe	Ojllan32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bkjlibkf.dll	Mpablkhc.exe
File created	C:\Windows\SysWOW64\Glgmkm32.dll	Nckndeni.exe
File created	C:\Windows\SysWOW64\Jocbigff.dll	Pfhfan32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Madnnmem.dll	Kplpjn32.exe
File opened for modification	C:\Windows\SysWOW64\Pqpgdfnp.exe	Pfhfan32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Ndkqipob.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Llemdo32.exe	Llcpoo32.exe
File opened for modification	C:\Windows\SysWOW64\Oneklm32.exe	Odkjng32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3704	3204	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jpijnqkp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nckndeni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mpablkhc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jfoiokfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Medgncoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Npcoakfp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfhfan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iihkpg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kplpjn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llcpoo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jlbgha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kipkhdeq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Llemdo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdhdajea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqpgdfnp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e237325d992fb81351ac39d13de79b60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jcgbco32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kdqejn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oddmdf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oneklm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jidklf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ojllan32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jmhale32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Jefbfgig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ngpccdlj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhccdhqf.dll"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mpablkhc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Npcoakfp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mpablkhc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfdjmlhn.dll"	Oneklm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iihkpg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Madnnmem.dll"	Kplpjn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilnhifk.dll"	Llcpoo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nckndeni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kofpij32.dll"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Kplpjn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jefbfgig.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcgbco32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namdcd32.dll"	Kipkhdeq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqplhmkl.dll"	Jpijnqkp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Kdqejn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igjnojdk.dll"	Oddmdf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekgcil.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jfoiokfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Medgncoe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqgmgehp.dll"	Mdhdajea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmnbeadp.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memcpg32.dll"	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ngpccdlj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pqpgdfnp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhnkg32.dll"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Jidklf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Llcpoo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pqpgdfnp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ampkof32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2904	1044	e237325d992fb81351ac39d13de79b60N.exe	84
PID 1044 wrote to memory of 2904	1044	e237325d992fb81351ac39d13de79b60N.exe	84
PID 1044 wrote to memory of 2904	1044	e237325d992fb81351ac39d13de79b60N.exe	84
PID 2904 wrote to memory of 3632	2904	Iihkpg32.exe	86
PID 2904 wrote to memory of 3632	2904	Iihkpg32.exe	86
PID 2904 wrote to memory of 3632	2904	Iihkpg32.exe	86
PID 3632 wrote to memory of 712	3632	Jfoiokfb.exe	87
PID 3632 wrote to memory of 712	3632	Jfoiokfb.exe	87
PID 3632 wrote to memory of 712	3632	Jfoiokfb.exe	87
PID 712 wrote to memory of 3900	712	Jmhale32.exe	89
PID 712 wrote to memory of 3900	712	Jmhale32.exe	89
PID 712 wrote to memory of 3900	712	Jmhale32.exe	89
PID 3900 wrote to memory of 3672	3900	Jpijnqkp.exe	90
PID 3900 wrote to memory of 3672	3900	Jpijnqkp.exe	90
PID 3900 wrote to memory of 3672	3900	Jpijnqkp.exe	90
PID 3672 wrote to memory of 2476	3672	Jefbfgig.exe	91
PID 3672 wrote to memory of 2476	3672	Jefbfgig.exe	91
PID 3672 wrote to memory of 2476	3672	Jefbfgig.exe	91
PID 2476 wrote to memory of 2960	2476	Jcgbco32.exe	92
PID 2476 wrote to memory of 2960	2476	Jcgbco32.exe	92
PID 2476 wrote to memory of 2960	2476	Jcgbco32.exe	92
PID 2960 wrote to memory of 4312	2960	Jidklf32.exe	93
PID 2960 wrote to memory of 4312	2960	Jidklf32.exe	93
PID 2960 wrote to memory of 4312	2960	Jidklf32.exe	93
PID 4312 wrote to memory of 1492	4312	Jlbgha32.exe	94
PID 4312 wrote to memory of 1492	4312	Jlbgha32.exe	94
PID 4312 wrote to memory of 1492	4312	Jlbgha32.exe	94
PID 1492 wrote to memory of 3836	1492	Kdqejn32.exe	95
PID 1492 wrote to memory of 3836	1492	Kdqejn32.exe	95
PID 1492 wrote to memory of 3836	1492	Kdqejn32.exe	95
PID 3836 wrote to memory of 2432	3836	Kipkhdeq.exe	96
PID 3836 wrote to memory of 2432	3836	Kipkhdeq.exe	96
PID 3836 wrote to memory of 2432	3836	Kipkhdeq.exe	96
PID 2432 wrote to memory of 3556	2432	Kplpjn32.exe	97
PID 2432 wrote to memory of 3556	2432	Kplpjn32.exe	97
PID 2432 wrote to memory of 3556	2432	Kplpjn32.exe	97
PID 3556 wrote to memory of 5080	3556	Llcpoo32.exe	98
PID 3556 wrote to memory of 5080	3556	Llcpoo32.exe	98
PID 3556 wrote to memory of 5080	3556	Llcpoo32.exe	98
PID 5080 wrote to memory of 1424	5080	Llemdo32.exe	99
PID 5080 wrote to memory of 1424	5080	Llemdo32.exe	99
PID 5080 wrote to memory of 1424	5080	Llemdo32.exe	99
PID 1424 wrote to memory of 1428	1424	Medgncoe.exe	100
PID 1424 wrote to memory of 1428	1424	Medgncoe.exe	100
PID 1424 wrote to memory of 1428	1424	Medgncoe.exe	100
PID 1428 wrote to memory of 1904	1428	Mdhdajea.exe	101
PID 1428 wrote to memory of 1904	1428	Mdhdajea.exe	101
PID 1428 wrote to memory of 1904	1428	Mdhdajea.exe	101
PID 1904 wrote to memory of 1524	1904	Mpablkhc.exe	102
PID 1904 wrote to memory of 1524	1904	Mpablkhc.exe	102
PID 1904 wrote to memory of 1524	1904	Mpablkhc.exe	102
PID 1524 wrote to memory of 2396	1524	Npcoakfp.exe	103
PID 1524 wrote to memory of 2396	1524	Npcoakfp.exe	103
PID 1524 wrote to memory of 2396	1524	Npcoakfp.exe	103
PID 2396 wrote to memory of 1332	2396	Ngpccdlj.exe	104
PID 2396 wrote to memory of 1332	2396	Ngpccdlj.exe	104
PID 2396 wrote to memory of 1332	2396	Ngpccdlj.exe	104
PID 1332 wrote to memory of 3504	1332	Nnjlpo32.exe	105
PID 1332 wrote to memory of 3504	1332	Nnjlpo32.exe	105
PID 1332 wrote to memory of 3504	1332	Nnjlpo32.exe	105
PID 3504 wrote to memory of 628	3504	Nckndeni.exe	106
PID 3504 wrote to memory of 628	3504	Nckndeni.exe	106
PID 3504 wrote to memory of 628	3504	Nckndeni.exe	106
PID 628 wrote to memory of 4124	628	Odkjng32.exe	107

C:\Users\Admin\AppData\Local\Temp\e237325d992fb81351ac39d13de79b60N.exe
"C:\Users\Admin\AppData\Local\Temp\e237325d992fb81351ac39d13de79b60N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\Iihkpg32.exe
  C:\Windows\system32\Iihkpg32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Windows\SysWOW64\Jfoiokfb.exe
    C:\Windows\system32\Jfoiokfb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3632
  - - C:\Windows\SysWOW64\Jmhale32.exe
      C:\Windows\system32\Jmhale32.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:712
    - - C:\Windows\SysWOW64\Jpijnqkp.exe
        
        C:\Windows\system32\Jpijnqkp.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
      - C:\Windows\SysWOW64\Jefbfgig.exe
        
        C:\Windows\system32\Jefbfgig.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\SysWOW64\Jcgbco32.exe
        
        C:\Windows\system32\Jcgbco32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Windows\SysWOW64\Jidklf32.exe
        
        C:\Windows\system32\Jidklf32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\SysWOW64\Jlbgha32.exe
        
        C:\Windows\system32\Jlbgha32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\SysWOW64\Kdqejn32.exe
        
        C:\Windows\system32\Kdqejn32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\SysWOW64\Kipkhdeq.exe
        
        C:\Windows\system32\Kipkhdeq.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3836
        
        C:\Windows\SysWOW64\Kplpjn32.exe
        
        C:\Windows\system32\Kplpjn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2432
        
        C:\Windows\SysWOW64\Llcpoo32.exe
        
        C:\Windows\system32\Llcpoo32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3556
        
        C:\Windows\SysWOW64\Llemdo32.exe
        
        C:\Windows\system32\Llemdo32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\SysWOW64\Medgncoe.exe
        
        C:\Windows\system32\Medgncoe.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\SysWOW64\Mdhdajea.exe
        
        C:\Windows\system32\Mdhdajea.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\SysWOW64\Mpablkhc.exe
        
        C:\Windows\system32\Mpablkhc.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\SysWOW64\Npcoakfp.exe
        
        C:\Windows\system32\Npcoakfp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\SysWOW64\Ngpccdlj.exe
        
        C:\Windows\system32\Ngpccdlj.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\SysWOW64\Nnjlpo32.exe
        
        C:\Windows\system32\Nnjlpo32.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Nckndeni.exe
        
        C:\Windows\system32\Nckndeni.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Oneklm32.exe
        
        C:\Windows\system32\Oneklm32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\Ojllan32.exe
        
        C:\Windows\system32\Ojllan32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\Oddmdf32.exe
        
        C:\Windows\system32\Oddmdf32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
        
        C:\Windows\SysWOW64\Pfhfan32.exe
        
        C:\Windows\system32\Pfhfan32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Pqpgdfnp.exe
        
        C:\Windows\system32\Pqpgdfnp.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Pdpmpdbd.exe
        
        C:\Windows\system32\Pdpmpdbd.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3240
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4360
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4232
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2600
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3204 -s 220
        62⤵
        Program crash
        
        PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3204 -ip 3204
1⤵
PID:548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aepefb32.exe

Filesize
2.2MB

MD5
8009035254ac8ca2c4e59260980ad1d6

SHA1
b0db83f44989d0836b7ae07f272b91d9de8c5297

SHA256
cedb85215196c6cf6aa13b7826e00424ca349e9eda7f569aa1340d8d0c8977c5

SHA512
e74232e526bf8b4ecd66a5426dfa4f48122419c2614323305f41d95ec515729a85ab356c9154f041e23c0a8c3a0a0a659eed18925740c70c247dcdd48b2b494c

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
2.2MB

MD5
c3fc45c620ac34601d138dd6cc2c9b7b

SHA1
282f6fee9722e8fb7c4d70bc201a7b8684fab331

SHA256
39db9968ccb41379547eb30a7398fb6c88ddd2be41907b380d59d679a3a6ab6b

SHA512
816760b978394db4fadf0741890f1ae260c06166cb61689e33b159451351cc9721c59a65ee634b60ac99d335d8797479aa04ec83257156dd7665b6fa413c8123

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
2.2MB

MD5
c089855720b4e04de240d91a199b8487

SHA1
fe91382d3a603121a2d26c463fd2ab75351221cb

SHA256
28227f24c2eb3f7d409c39626ecadbed6d5b9ecb7dce8f713ab628b254319e5d

SHA512
c7b4dee133d38b84591a9d52aa20682bbd2e4f59db4491eb1b81b56240a83842e95a6eb79e3e540cf1e386d4ba1d36afb0d11365232f78eb20010574db9bec4f

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
2.2MB

MD5
e6cd8ad16a4d41c2b6f8a1ca0f2642c9

SHA1
6d344a1821d0df27f77e1adde810b1f88bef0fb9

SHA256
8f184f6997d1cfea53030ba0da1a240e3d0f6c3eef54b5b70992ed711c00f416

SHA512
f3323f667eda6074efb26069e8a07db38453120ae62b5765ba74b3da89349b8c389b3dce44e864daf1f59b03516c74b0185271abc01cfabb77d2e27530dc307d

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
2.2MB

MD5
52a3e9b87e2e1b66a8d3388e9f8a6647

SHA1
3449cf7c212da32bc3d8c9c05b658f110d135f59

SHA256
5567bae97ea6a396eab222dd520cb8fb88123971ddde938d8f8da354d2287e7c

SHA512
2730d61fcb9f332bab477f33b25d252abc05514b629a1169331407807b92871b122dcf75f4a0c319fcc006d62dd1dca5894e1249aee920d5ff78bdfda9baebfe

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
2.2MB

MD5
c1e3dce116243e36f2c0dfc25a6523cd

SHA1
126f3a20b00f08312893c4018277c0a038410f30

SHA256
a44160b7207e04261a90ef32d5241c1d53ff198a34365c137f44aeabeeaadb92

SHA512
93d9b1169527abe6c6fdbd0b6f7360ad981a93456c325258d3b80b09a80467107db04b69e20cb482f7cc2eb34d92dffb9b7bcd637bd0072d46f8a7d09cc5029c

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
320KB

MD5
30897b98d92f276a0b3baf7488ae46b1

SHA1
837fe7cddd0ba129dc67439009491d742fd063f3

SHA256
e9189340aa3f862cecfaaebe607d358d7c534d581c4c86f9483f5e4996dd3a4b

SHA512
ba51c0cea2a362e1b8495e26c5c83a6d428a593efa05abed1f38dba854ed99e069ef14e5893495a8f85f32c5a8319ee3db17a23f2eecce20f653103da37d8d2b

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
2.2MB

MD5
24d41fe172458d94f323dfb0fab2da97

SHA1
3d61cbe1ee7fc2b4e8fafbdc15d072cf37da997e

SHA256
6a2954053f8c546eb9b377fe21a51401c8d55dda441ab60182568c3693134e41

SHA512
c424ce3492e799d37b196a707d6262525bca4a1c81eae9d90efedd4210fb8f9c62ba63ac859c2fdb097c632afbd499b7f4ad687186f3872a023cd1f82fb26a49

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
2.2MB

MD5
e0c6f6c4c1b181fcc2c8e2d7e7e6db12

SHA1
b0fb72f6315f0c7c64a43cb1d6ce71ae4f98f37a

SHA256
a9c0c63d0f7745ab113accd86f32a01b6d44516f756e57ff71c6ec394a46d1ab

SHA512
ed6c4b7a7e9dcc30ef90d5b0fb0bbd7dd6231f973801e52119b698b7fbbe5aef55a1e6d8c7f86709bc4f11c625cffe649f1abbe3ad7cb0bb59636d28c52a8c1b

Download Submit
C:\Windows\SysWOW64\Iihkpg32.exe

Filesize
2.2MB

MD5
10b6ca2a8116bcab869f8e7291e73317

SHA1
c18f1c76770253ab3e2d8a9fc986bdd08cfdf47d

SHA256
eb5e8a865ab72647d1f6ad0d861db39872a9b5ec6aecd2677f399fbde78f9c58

SHA512
3ea8cc8fe042dcf6161add4333fde82bd48bf5e801f5141baebb2032c44e991dcea79f63677825b792af853271dfb5693287cc5be391cd3dae0599f370526875

Download Submit
C:\Windows\SysWOW64\Jcgbco32.exe

Filesize
2.2MB

MD5
0ca6788fcbaf16591155babf52637272

SHA1
43d120f1064888c22f3bd9c033d1aef2592e2231

SHA256
1137632af13ea0c2939eddf713294ff714d5501b8671f5dc4bcdeafb3282d4db

SHA512
31480da905c6ea21fdfa7976c490f554066a04440cda8c3a2724f23767f7d3491caf7306192d21040a3f71a0cfa246c2cfdd40e094549c89722f8df2d2756dfc

Download Submit
C:\Windows\SysWOW64\Jefbfgig.exe

Filesize
2.2MB

MD5
9838a73493a8721a0d7b76ef504a0f0c

SHA1
e9695880cc48cc188fc46f4e95cea729932f241f

SHA256
dece6834bdf46a7d06e0ba3b3c806029350b62d6eba594698be73785d0105361

SHA512
9e54b2da6a0294b7ef28359be95e8a66b5ab145149a2ff4003b123b2ff018859f0678091948eba42dee37f01796d2587d2983b1076831f006e0568e2ce04cb9d

Download Submit
C:\Windows\SysWOW64\Jfoiokfb.exe

Filesize
2.2MB

MD5
b59f25a3fcf06eac45d67cc07f8d3f86

SHA1
dd89ead59d305ff35e6f82a218e5a52999170eb8

SHA256
68d45febf73ab4b7daef877aaad441cf8a9d2430b593286c5b8ea95a857b64d9

SHA512
90d92606df102d531b8789eaddcaf0a7529a7801d4cb2d749126579c0eb4f31a585d19c9c72bddd887899e5cd760430525e09a7c6738372e20dc7f84628cf531

Download Submit
C:\Windows\SysWOW64\Jidklf32.exe

Filesize
2.2MB

MD5
7e16e34881e496d84feeef463df3f2ef

SHA1
0306d944f150e3289c17b11ef35763ad9b0eb9aa

SHA256
2a89a7d4b830d868d77a8dfdba2a36d7a56f605159a51f1d19e2fe16b6a843d6

SHA512
2e8b992ca2d3962da4b57d47278e4dc16fdfb09b3298d8cd85a1536688da373ce76c50112b25f381a6ae15fb445be6d9b0f7065d88e3f6aef883f9191b13bd8b

Download Submit
C:\Windows\SysWOW64\Jlbgha32.exe

Filesize
2.2MB

MD5
70c3c8a0f0ebb379bac6153e7a488015

SHA1
ab0f62908867d359deb5c0dbc99f5ce4056bf4b7

SHA256
9294a81150f95eec1b8dba94848108ba8495b7223fef9acd2b07cbe739fc3919

SHA512
90b14d28d1c0d37baf16334091d821cd4410c5da65d504d1d7bdfd4ceafd61dbd18d2b8ec47fe71084343a7a6b4b932e197724d4a4aa8377f1d34918470a9be3

Download Submit
C:\Windows\SysWOW64\Jmhale32.exe

Filesize
2.2MB

MD5
0fc2e69c4c1a02beb1013a597468bf34

SHA1
2366ded2fb164e55fe1375074149162883a93843

SHA256
e4d052f751262fcec2c97f862074ae6ebbf3892c0d46064fc629627432e8705a

SHA512
00849de47055cb73e8385a18f6cabe45e1b5e7dd5cd082cf35fa2af5246908eebe3d924c507bbc29ee02ad418848da713153b16b15d6f6942d2a258f4e4c39a4

Download Submit
C:\Windows\SysWOW64\Jpijnqkp.exe

Filesize
2.2MB

MD5
ad2f072c2d407170502d2fa22178203c

SHA1
7a814cfe0950ae1667f91373f7edeba23a4f6ee3

SHA256
3ea30ab0c672c1c36a96a27978327072aeeed950212b81b86981707e1d5fc5b8

SHA512
a45e244d1e7e6f6eb31e3b60a3f83064c20ed33a54ea4309822850d05848a267fd50a0da7c49c4e412ecb014b4197dbb6e538d8802f33c767efd66135a5e69b7

Download Submit
C:\Windows\SysWOW64\Kdqejn32.exe

Filesize
2.2MB

MD5
d839f61235dfe33ecb8bdaa8568be7d9

SHA1
40a369f479e04d3a056a25a99138b80ac3df6f37

SHA256
469f50426a104b4498a38dc78935c31d3960db4a9cce2a79b3e409fe8404ddc3

SHA512
9ece86a89658d58b3d4199a8e85ba3ed1e07a9e0d0be74ba2d27933f2e3446d5240e6f6d481d057c91644a8fed3b6c30b956395ea6ba7cb0fc67ee186c257fd9

Download Submit
C:\Windows\SysWOW64\Kipkhdeq.exe

Filesize
2.2MB

MD5
39ddc4184e8822588b6ef32e63287c43

SHA1
cf7ff422d5ead5d88cd9e7e3d3f9b26757bd9b3f

SHA256
469ad5a704cce05c1cd4d3e518ab9d5ae83bb2df956ddd74d085d8a55e164943

SHA512
7ce1a040b1c124775173488188054c8158b808137cc985b9d9f32066bea109df47b5cb11968fad6b9ecd43fa1a404c2bf368d2b714ba60d8957431cdf192e8c1

Download Submit
C:\Windows\SysWOW64\Kplpjn32.exe

Filesize
2.2MB

MD5
3dc474cdae5a1009f1ee4fc3a8503f04

SHA1
c23f0bfcf82c3b9a150ae943dc476213bdbb6c48

SHA256
f80d2cb10ce8c99f6b013ee17ab1c2ba52e02bdb5686acad0c3ffff577e616c3

SHA512
fbd1eddd34155bd3f70d9ab280cbfea860c1860df4dc9113eaf88aa316464d55aefb70698d34efba5b57036c46dfdab85deb0d6a80a3fda24936c910f4b2c29e

Download Submit
C:\Windows\SysWOW64\Llcpoo32.exe

Filesize
2.2MB

MD5
3cd0e09d1c7e9d62833290f384ef0d5c

SHA1
b249da035f330910cdc00f2d097e795bfcd8d3f8

SHA256
29440dd6e5dfe99208bd8c665e68bc55846654dbcfa4f53317b7573b37d81291

SHA512
26b69c8d98f1a2ef4d9f02dfde317dc5465a9fece313878d476cee2a784504cccf34e6cbc72dbe0f20d00a7e4fc539bb2a0f7f9ec10b99d291ca482d93468e27

Download Submit
C:\Windows\SysWOW64\Llemdo32.exe

Filesize
2.2MB

MD5
6ec2530abf12be10199024168324290c

SHA1
ce90dfc15edc0116b237bb3b3e42595fc0d82d8c

SHA256
3b1c3f8293d2ce89deaf2f8f1e223e0242f23ffbf0ec6a038c034409663c02d8

SHA512
48016e973c183e15bb00be1b94b7668e96e87c066c872b38ae97a46499cbba3428d76acdabc4c72ab50c24176d09c91300d1c04fe75d02e4d50e1855b7adc3c6

Download Submit
C:\Windows\SysWOW64\Mdhdajea.exe

Filesize
2.2MB

MD5
a8aef8db115c6f906f3bbd5b998f024a

SHA1
497332c376d8be132e9613ed38b65b54fac2942c

SHA256
6cc5cec7bfa05a6186b6bd769772d917f71f655e80de3e1491087e320b78b173

SHA512
ae58f7fdd4341263a9f91f1bcd4211efdee93fb533c7ff5dbf52cd51b9cbba39dc8cdccd5a040e05afa8b5d19c86a798efc279a2ff04d798499abf93501d5f5d

Download Submit
C:\Windows\SysWOW64\Medgncoe.exe

Filesize
2.2MB

MD5
61c8cc7bac37e0ae2eb77458c8702eed

SHA1
2790d3ce4d8cfb5230f411be42404cd8312e5fec

SHA256
d86a7cd30eb5dca6aa17f03fe4c2d89c263a540e490ac94deda3c2cc62be6d1d

SHA512
a1cdb1326434dfbc25b8d67059a012e4a61ae59756623872c50644c73e8735d3a1eca5c6237207c758ae112065b342e40ffdaded7402ceb0f156cd9b53837a8d

Download Submit
C:\Windows\SysWOW64\Mpablkhc.exe

Filesize
2.2MB

MD5
d816127338cf534cd750cd311df41fca

SHA1
004b2de4fa5700daa81dcbc31dd4b3e8f7588902

SHA256
5a83ad5ac59836a06e6d0c239ba7a72c0eed9a7f60055f9168edfc2735a20d06

SHA512
65f54439937a3d2e928850c54c7e1e15dfde5f785b9c944cff918128394af0f1dc2693e8fe982fe084460293d2494069571764345c192b0fa5828dd158a04ba7

Download Submit
C:\Windows\SysWOW64\Nckndeni.exe

Filesize
2.2MB

MD5
01e1c94742df60ccb5ba18bc56a4f801

SHA1
1eeb4cf76f24c86fb6bb7551497a9d83fc183180

SHA256
2d5c1cfea01ada793d476c2dc30fafaad26f25bb1fb0cafa2db48cb83be0e117

SHA512
b9b5975267d682a68ffe7b7f7ee6694306031d16bf26e54d3d5bfff2b2bb1de788ea74b093643bd4d4a7afb0572c7b91ed3345618db98576c158b3af52449108

Download Submit
C:\Windows\SysWOW64\Ngpccdlj.exe

Filesize
2.2MB

MD5
f67ad86a6ed8d1786b8416f074f752aa

SHA1
bda62d166c12cfc667b1e680d35662e7b870cf6e

SHA256
185c77e14862bca310487957a432a7c88b65ae2ed572ee62e8a04299fff68854

SHA512
bd0120ac60e7b7c7ef983c16efa8e8e19795b1f8ff31a2a5ca473d01b385a4a7137bb27bd5d923ccf731b94d9accd3c2d7fc2bd1b2cb32132507b5611e92f969

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
2.2MB

MD5
71e20a3db76b1a9a5d4edfffbd54dbf5

SHA1
11524ecbf1112687ef775b2bb32f063cf2f830e1

SHA256
c57c818bdf824e44cd8bcccdd1ab3307bfde720db7aafe29202b1ee630975026

SHA512
bc64e69982ff02b84fcd144f4c5380cdd87cbec4fc0ffb2045712106760c10df77c5a9b08b7f1508798bcc8f6cf31314cd480a871a33fda5a3d59ea02fde7215

Download Submit
C:\Windows\SysWOW64\Npcoakfp.exe

Filesize
2.2MB

MD5
7af82b7800f90c9b5d6c0b0b3dab690b

SHA1
b42b589ebf9d69ed32309b5e1c22d468bb4ed2ee

SHA256
2b1684fabbd6b72550d76d06a35e4c2dfa0809c73e63cb635f22197292324c62

SHA512
70e34c95b13ce3451abc9d78edbb14331177b714d36b1aa78f1fedf52d436b4f59c3bc6c0e2457fcd9bf277ab8a57c0e3e0063be2156b6bb2c6fbcb0981559c6

Download Submit
C:\Windows\SysWOW64\Oddmdf32.exe

Filesize
2.2MB

MD5
e39f0e17d85ff0348fc85427ecfc9988

SHA1
02fa672eda2ee2c07080c50f80784f13c6583fc6

SHA256
f73c4e9ab1cfd4116c35cc3fa98ba0d6f62a7b900a982ee82cf128d16b9d7620

SHA512
feea70038a6ee903600695cd5a8790bebacb3739898eac357ba7b41e48aabfa009893ffa88ae16e480f3cd584df772951638c5e0f8e2e7cf4d878ad70bae6844

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
2.2MB

MD5
f6bd0893737f4a8749192cbe35dc9325

SHA1
e4c1d78c6a705d95e2a4b58088b727459629ad16

SHA256
c3ad7e470cf14bb213e7133ef8e8d0bb252af5707a2fcdf2935de1f216bb3f60

SHA512
9a8b0c8ac5f034c66a68668041fb0846fcc5e2cdd5660adb734e7e8a605faebd3fb6f6ace5286a578eb645eaaa986bb0d02a6c5eaecdf61a11c34054e13a564c

Download Submit
C:\Windows\SysWOW64\Ojllan32.exe

Filesize
2.2MB

MD5
18fbc1c50d8125f706a3e9d5c4c90117

SHA1
35ea64b818f847e9c55fb8bded59a940ce0cacea

SHA256
32d38bd9d60461ae29aa23d6de031b1e4e58673bd2baf8e36d7567c04f820db7

SHA512
e04ca9ab3b461b2d43b2d22519515c906bc71b7195d87f1ac81dd79e02fa257383efb064eb40b2f82e9b637c6c1e687bad5ae5fe0c376f4f4e5ab09b4ff90cd1

Download Submit
C:\Windows\SysWOW64\Oneklm32.exe

Filesize
2.2MB

MD5
dbc05072614f9cc59a57b24c6cdf931c

SHA1
1fc905f7caebe87e8dfa9f273f529c6accaadcf8

SHA256
36d580f9cbe2b7cb89239cb97355e80fa6fb060bcee7ded613405a474eec7996

SHA512
d208c7e9f2d0ab7563b924f232dea690bd11e2b0dcf7e10c0d8f5dafa6be4969ba8970ed56edb17d3c427b1dfe871988465b997256c97b6534ae1b5ffe1f63dc

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
2.2MB

MD5
89c475128a1efdf097907fe37c89bc00

SHA1
3c7409044cede13ea1b8623a4f0d8681a58046ca

SHA256
7f7599235718cd633cb6e3090411a7b45747f23b0b750361377db2e21ad269c3

SHA512
05cd267a63b32da06cb0cd1fa60fc090ca02f0c6a4bdac0930b0d6dc8db05d6b0cc792317f9380b20e28bf11809f7b6b26dc0c53f3766b5c99e81f1d8e73b974

Download Submit
C:\Windows\SysWOW64\Pfhfan32.exe

Filesize
2.2MB

MD5
e878609cf5e2e5afbd9f81bbee347988

SHA1
6f27563ec8af3ebfd9f156546e4fadb200745b37

SHA256
1efd95ca46580f9ad03d829ce308f7429a34d0da40ec22226c6ff2720ac8739c

SHA512
754a52fcb6ce036e51d65042a9935839ebd4cff831b96746891611c9143486e511af70403bb81f1da94727e9d560e822b76a4891366aaf087a1e8ee6fbdb624c

Download Submit
C:\Windows\SysWOW64\Pqpgdfnp.exe

Filesize
2.2MB

MD5
15155b8869f44cbaef6babbc527daefb

SHA1
94fec14df93e2dec7826d9212377507fac7f0bff

SHA256
cfb9435c07f4890c32f04149fcf9b63ae1ea01b5f094468e9b3aa67e5a28dd4d

SHA512
e0d3a860a3392dc535a0cbcf1abfb4a6c70aad35d748bb48c660d0c1e071ccf3d137b433bac199b6359590df4b33b5380929b38e1a78a7f0e5fe9f8ad8deaf56

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
2.2MB

MD5
e3f9e56c1a731cc8225e2e782960e9b3

SHA1
08b4ee0060716157ff2e7aaff211d69aad98d798

SHA256
e66c1cc19ee9371c0b67bcd43391ca1b2c3df86d09cbbe0be6f809a8ce21725c

SHA512
4292a9b594ea6e99b3e75d0e901d980cd2b8511c90dfb034b2a5b7b8828137a4a462c8c7a1873a69b8e15855b501c7677827cda312860cfe58dd7e36e64036dc

Download Submit
memory/536-201-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/628-169-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/676-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-29-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-311-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/868-275-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/964-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1040-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1044-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1332-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1424-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1428-121-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1452-494-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1492-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1524-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1668-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1696-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1860-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-128-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2012-486-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2264-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2296-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2384-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2396-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2432-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-488-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2444-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2476-53-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2600-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2960-61-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-429-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3088-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3096-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3204-428-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3240-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3448-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3504-160-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3556-97-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3632-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3672-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3680-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3732-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3800-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3836-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3900-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3944-263-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4124-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4232-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4292-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4312-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4360-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-224-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4532-490-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-492-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4772-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4872-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5080-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads