4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Size

96KB
MD5

48456b0f1e8ee65746c087b4c5da0dfa
SHA1

9ed671ecfd99ce71632a441390cb4e2e1c608d6b
SHA256

4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0
SHA512

822e137dfeb27819c08db0cabdaf2f5b9ec27087f1de82e3f5c6dd4c80b5d1452e12e76b8103611796396c39042c5369840552315345a55fec70b6f12a4266ec
SSDEEP

1536:dvZXK+nLMQxwuTubCl4Kthr3OWR2Lk1PPXuhiTMuZXGTIVefVDkryyAyqX:dRXnIQDT8lKjWaPPXuhuXGQmVDeCyqX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe

Executes dropped EXE 64 IoCs

pid	Process
3504	Qmmnjfnl.exe
1284	Qgcbgo32.exe
4824	Anmjcieo.exe
1932	Aqkgpedc.exe
408	Acjclpcf.exe
4832	Ajckij32.exe
3588	Anogiicl.exe
3676	Aeiofcji.exe
712	Agglboim.exe
4716	Ajfhnjhq.exe
3640	Aqppkd32.exe
4752	Acnlgp32.exe
4704	Ajhddjfn.exe
2200	Aabmqd32.exe
4884	Aglemn32.exe
3696	Ajkaii32.exe
908	Aadifclh.exe
4684	Agoabn32.exe
2976	Bjmnoi32.exe
1548	Bmkjkd32.exe
1232	Bcebhoii.exe
2964	Bfdodjhm.exe
1732	Bmngqdpj.exe
4532	Baicac32.exe
3168	Bchomn32.exe
3868	Bjagjhnc.exe
1400	Bnmcjg32.exe
1660	Balpgb32.exe
964	Bcjlcn32.exe
3948	Bfhhoi32.exe
4784	Bnpppgdj.exe
4396	Beihma32.exe
3216	Bhhdil32.exe
3584	Bjfaeh32.exe
3480	Bmemac32.exe
2860	Cfmajipb.exe
4128	Cjinkg32.exe
4956	Cmgjgcgo.exe
4912	Cabfga32.exe
5108	Cdabcm32.exe
1532	Cjkjpgfi.exe
1156	Cmiflbel.exe
2284	Cdcoim32.exe
3184	Cfbkeh32.exe
892	Cmlcbbcj.exe
3096	Cagobalc.exe
4368	Cdfkolkf.exe
1800	Cfdhkhjj.exe
3388	Cnkplejl.exe
2748	Ceehho32.exe
4312	Chcddk32.exe
4016	Cjbpaf32.exe
2596	Cmqmma32.exe
2796	Ddjejl32.exe
2268	Dfiafg32.exe
1988	Dmcibama.exe
2424	Danecp32.exe
4996	Dhhnpjmh.exe
1512	Dobfld32.exe
4360	Dmefhako.exe
4864	Delnin32.exe
4552	Ddonekbl.exe
4736	Dfnjafap.exe
3836	Dmgbnq32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Dknpmdfc.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qmmnjfnl.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Agglboim.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aabmqd32.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Aeiofcji.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Cfmajipb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
232	2540	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agoabn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cabfga32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahicipe.dll"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oicmfmok.dll"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3504	4192	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe	83
PID 4192 wrote to memory of 3504	4192	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe	83
PID 4192 wrote to memory of 3504	4192	4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe	83
PID 3504 wrote to memory of 1284	3504	Qmmnjfnl.exe	84
PID 3504 wrote to memory of 1284	3504	Qmmnjfnl.exe	84
PID 3504 wrote to memory of 1284	3504	Qmmnjfnl.exe	84
PID 1284 wrote to memory of 4824	1284	Qgcbgo32.exe	85
PID 1284 wrote to memory of 4824	1284	Qgcbgo32.exe	85
PID 1284 wrote to memory of 4824	1284	Qgcbgo32.exe	85
PID 4824 wrote to memory of 1932	4824	Anmjcieo.exe	86
PID 4824 wrote to memory of 1932	4824	Anmjcieo.exe	86
PID 4824 wrote to memory of 1932	4824	Anmjcieo.exe	86
PID 1932 wrote to memory of 408	1932	Aqkgpedc.exe	87
PID 1932 wrote to memory of 408	1932	Aqkgpedc.exe	87
PID 1932 wrote to memory of 408	1932	Aqkgpedc.exe	87
PID 408 wrote to memory of 4832	408	Acjclpcf.exe	88
PID 408 wrote to memory of 4832	408	Acjclpcf.exe	88
PID 408 wrote to memory of 4832	408	Acjclpcf.exe	88
PID 4832 wrote to memory of 3588	4832	Ajckij32.exe	89
PID 4832 wrote to memory of 3588	4832	Ajckij32.exe	89
PID 4832 wrote to memory of 3588	4832	Ajckij32.exe	89
PID 3588 wrote to memory of 3676	3588	Anogiicl.exe	90
PID 3588 wrote to memory of 3676	3588	Anogiicl.exe	90
PID 3588 wrote to memory of 3676	3588	Anogiicl.exe	90
PID 3676 wrote to memory of 712	3676	Aeiofcji.exe	91
PID 3676 wrote to memory of 712	3676	Aeiofcji.exe	91
PID 3676 wrote to memory of 712	3676	Aeiofcji.exe	91
PID 712 wrote to memory of 4716	712	Agglboim.exe	92
PID 712 wrote to memory of 4716	712	Agglboim.exe	92
PID 712 wrote to memory of 4716	712	Agglboim.exe	92
PID 4716 wrote to memory of 3640	4716	Ajfhnjhq.exe	93
PID 4716 wrote to memory of 3640	4716	Ajfhnjhq.exe	93
PID 4716 wrote to memory of 3640	4716	Ajfhnjhq.exe	93
PID 3640 wrote to memory of 4752	3640	Aqppkd32.exe	94
PID 3640 wrote to memory of 4752	3640	Aqppkd32.exe	94
PID 3640 wrote to memory of 4752	3640	Aqppkd32.exe	94
PID 4752 wrote to memory of 4704	4752	Acnlgp32.exe	96
PID 4752 wrote to memory of 4704	4752	Acnlgp32.exe	96
PID 4752 wrote to memory of 4704	4752	Acnlgp32.exe	96
PID 4704 wrote to memory of 2200	4704	Ajhddjfn.exe	97
PID 4704 wrote to memory of 2200	4704	Ajhddjfn.exe	97
PID 4704 wrote to memory of 2200	4704	Ajhddjfn.exe	97
PID 2200 wrote to memory of 4884	2200	Aabmqd32.exe	98
PID 2200 wrote to memory of 4884	2200	Aabmqd32.exe	98
PID 2200 wrote to memory of 4884	2200	Aabmqd32.exe	98
PID 4884 wrote to memory of 3696	4884	Aglemn32.exe	100
PID 4884 wrote to memory of 3696	4884	Aglemn32.exe	100
PID 4884 wrote to memory of 3696	4884	Aglemn32.exe	100
PID 3696 wrote to memory of 908	3696	Ajkaii32.exe	101
PID 3696 wrote to memory of 908	3696	Ajkaii32.exe	101
PID 3696 wrote to memory of 908	3696	Ajkaii32.exe	101
PID 908 wrote to memory of 4684	908	Aadifclh.exe	102
PID 908 wrote to memory of 4684	908	Aadifclh.exe	102
PID 908 wrote to memory of 4684	908	Aadifclh.exe	102
PID 4684 wrote to memory of 2976	4684	Agoabn32.exe	103
PID 4684 wrote to memory of 2976	4684	Agoabn32.exe	103
PID 4684 wrote to memory of 2976	4684	Agoabn32.exe	103
PID 2976 wrote to memory of 1548	2976	Bjmnoi32.exe	105
PID 2976 wrote to memory of 1548	2976	Bjmnoi32.exe	105
PID 2976 wrote to memory of 1548	2976	Bjmnoi32.exe	105
PID 1548 wrote to memory of 1232	1548	Bmkjkd32.exe	106
PID 1548 wrote to memory of 1232	1548	Bmkjkd32.exe	106
PID 1548 wrote to memory of 1232	1548	Bmkjkd32.exe	106
PID 1232 wrote to memory of 2964	1232	Bcebhoii.exe	107

C:\Users\Admin\AppData\Local\Temp\4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe
"C:\Users\Admin\AppData\Local\Temp\4bebf7b9950f07c5404763f2ce417f4a35a6f2d8f925556424c824e39243a6a0.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\Qmmnjfnl.exe
  C:\Windows\system32\Qmmnjfnl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\SysWOW64\Qgcbgo32.exe
    C:\Windows\system32\Qgcbgo32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\SysWOW64\Anmjcieo.exe
      C:\Windows\system32\Anmjcieo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1932
      - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1732
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:964
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4784
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2284
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4368
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1800
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4312
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        54⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2424
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1512
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4552
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4068
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 396
        74⤵
        Program crash
        
        PID:232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2540 -ip 2540
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
96KB

MD5
484647ec440f053b9690df90251c506a

SHA1
dea5637c55c6b829d848838e7ccc210848344bdd

SHA256
ce816421e22e0ca1313ed0e34b756014b4f586106694d5f5915fd36dba23c6aa

SHA512
28a3eae4d5e1b1260913891606eafea0bffded8215e0e069f063d061bfc748d803cb8a0948756b9edb3c8df25a0b3a9dd722e765486f174440efc26c6d67407b

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
96KB

MD5
3ffd17f3d10d7d3eb3a2c6cfba2a5701

SHA1
aebaa0a8bb0b266858ef125550f923b270f71f51

SHA256
730cbbfe81d5e6173b763c8ea1351105b391ae506961f374dc42e8d8aac0be7f

SHA512
b76ef8077bee24f3c4215f0d4ad59e220e8f0652c94f550f9f4a8f1c9874194dff07c32b455b48098e1b7f2677a3111905e1e17426ca09833e0f711301212b52

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
96KB

MD5
376e96d21e7a35c8b8f69a757823277c

SHA1
157a9f6522a9a4a849c6f29c0ffe50c6dd50bb6b

SHA256
b37fac613ce971b1f2f444cb0759a9076ee5a66441c410415acc2eb3a4641fc4

SHA512
53742255914aabfdf427be90d2d230224e3ec18bd24d8a4dd49ba29f3395f83c87d8d0b1ebc5bbe28a35e4ba406a5b6b72e51b07b6c6bfdee5906798de927f0e

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
96KB

MD5
c96ea914dcb44359e3221ea266176a4a

SHA1
6be4b684767666c7c3f82146dbc7960c3bc1031f

SHA256
ffb153b27563230688a73e8218e43ce6908ba7438182cb8f064fee2f523776b5

SHA512
cb74aecc1e59f450f60e583083eca98f7d8c5b5ab9c9566c916a1231712a3ca4b2969c27863fe2a3cc149b4d5b8d7bb4a42d5b58808256fe9ed7e64f06afd6b9

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
96KB

MD5
666a1c0304cefeef81654af11907bb51

SHA1
fdb5160b3772d9d7983c8faafb812a6fc2a484e3

SHA256
4058fa3a644e9a7737e1a0266594c51512fc0b026f83fc188924949dcf14c928

SHA512
effb894cc3af943b4f4491479148f011f008e2a361ed4fc60fbd50e0ff09d13b4bdaa6e11900e1cd721fb8e78a18e293c3546911fa6f7379180014fb66d5956c

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
96KB

MD5
fbab01e215b34783c1e2d8e5d0ad2f1b

SHA1
63c8ff111baacbd5ea2118180066c4723fa68e18

SHA256
6b61934e3e3a8fdcf66764c48f9270f682cad634e9d2d38691b54269c7a1f646

SHA512
30aa585f1c3a551391a765477557f374f63dae852d85722afec9c88e3bc74ff359647954bbda751c26d2d89daf4e41ad535d11bc600119ff6de4b84df4e50a60

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
96KB

MD5
a6a5a24d3fe3641c47b5c1a1d73a6418

SHA1
f324c599e6499bed6b989711bb0b47b6e67dc1b0

SHA256
deaebb26774b04015b8ef45eab7b78b9ce22fe936a93bdf1be1d7b5e54042f77

SHA512
cac03e210087b916c700e9db30eaeaaca1aa614c7dbaecbbbb7cbeac97d67d4a82b39824800e289a50ec19027a54cb8ccf1f25c2e8810861d2315af20a982b98

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
96KB

MD5
4851136f8953a6ef43c5e10a5a0af8bc

SHA1
2c730cca812834b7c4a43d3c7f068ba653589c0a

SHA256
8266b0120f14f1fa1b3a598542e706f5611ccaa29d1ae8f77529ef325d53f07e

SHA512
0a6e48d52d973dc65e1b5e7a1e7fb37291336e22fad9dfc19aa329d79d5d33b19f31f18bab959fc3a26cc3a2ada11d55a266055aa9c67b0043a73f3e0a6f3c1c

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
96KB

MD5
d97d96e7aaacecba8ff8fb838bbbde51

SHA1
3f375a193bc132da542c306f186ca61cf382fc85

SHA256
eddc91a540000adbbfde48f107d6d16cdfa585692911b37d5be063539ef70d5c

SHA512
f372daad440ba14050575600af32694dd3e5a8009f8d2e8887223e1405f682ce29434fc2a8378a8d0716a95c723fd5975e0bb08db8eb12cdc6e6345e94ccfbac

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
96KB

MD5
f5387139d62e64b55df584d9de674eed

SHA1
b462ae86206cc9cc4e45b5bcdaaa685f68a5df64

SHA256
9c29a0747abed1d4e3bd3876f53346e1436d77ed78aff9822c173cdc1b06e988

SHA512
86ac0bc76da75b661df407aa1a424c2e19aa3e02648bc8defb23a5e3378eb1ae99efbac6b1198fae71a279084b38d4cd75429417bb2d03331b876d3cb460cc5f

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
96KB

MD5
c0df1cf49e30e0424b78676c1cacce18

SHA1
e9b078fa5d0eb6266627d0131946983a2f246ee3

SHA256
c9ba2338062fb20fe6c0e60692d21c274a44cf2bee675871fd501e6cdcd68133

SHA512
bc02e73cfe092d8f0cbfb57644c5fd7f3c916a9df9d61be0214a5e8bc2bf384ad548b61441808a53a6b14ebb23d55a5e326b96792de6c7fe29b07166cb8891ec

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
96KB

MD5
85e46a836fcf866dcb63ffb0357ae4f9

SHA1
cf419320976ce03737c79328be1778a247f007ce

SHA256
17e8b5ed6ea00748e7eada100dfe6ac41ecf479da8cbeff8239279aa9451deec

SHA512
90db559646aadf756bfa57c98e8e81333df157452a84407a9385d7142e0688720d220389da8b82660b530ecc30cb0b05becf5fc7c0b4f502c3243e0673ce99e7

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
96KB

MD5
929e6f777ab87dc0066c2907fcbef609

SHA1
320c3d445cf3c5ec57d43b25c28b59a0a78f7aaa

SHA256
7092df7ed5b3f20480c84fa6ae68795f7eedf4caa167f02f3ce7cf86d6bd12f1

SHA512
0d31ece995f9b878e9b69978d58309bb2002e5b4c23aa80673fc154767c601286e51f815124cd4dc1d255d0b7169e98307fc30802f00532d04e925be9549f113

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
96KB

MD5
e1a9ace493bf445f36be06069f5e302b

SHA1
bdd954f88feb4047c35bef3f9048b0d213126507

SHA256
7f66de83bd24c996a48532060f81394ecc78131a7f9e6480f2c5facea61b5e76

SHA512
3bae58dc98a1cf57802afcc7ad11cc0b0dc1bb2c2e7530ee999816309cc0f2c64188a46b5ba556ae773a84eae50086d1e189f28e7ab28ff75b26499869b935db

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
96KB

MD5
50c20387ec49ba0c9f0229b7b6432ebf

SHA1
4f8dc86e6fc4c36fe0ee17ef491db66909ca8aa7

SHA256
05481371e5395bc29902bfb5c2b7b89a1616f1d7a6e80d846b91dad0048398d2

SHA512
be258ebbb1a60051b4140731a19cf656c1d3039ac3f19c7f79d1e4d572820931960f52f862fe4f05efa3d44757eca8afca9fe89871351a53b9c0f2825543aee1

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
96KB

MD5
54b1abbb0ce8d1b368024461fb78378f

SHA1
372ac7593111c6f948ae9814e27ef846d9f3f5ce

SHA256
59b83a00ebab836af0f20563d4dfb1b1511387aff6f4ae61bd16effc6546c235

SHA512
ebd0370f7b3ae25bb90a0e61637555c9305cd19c921e44823f2c3b2ce064b3588bee70c871c4dd813082f2e6d1aa9a7d857abec2a9ab1e1023b0044c12aed9bd

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
96KB

MD5
f1b228bd5b6372063702b62ea018bbb7

SHA1
289e986c3c42d40e90f786bb2d9b36ec5b1f0457

SHA256
c7dc8b5711a44dd9b76b0e6f5627b8ea2830052374c90d78f448ff81b046b22d

SHA512
80ec18673ff3c4609efaed272e6c572d584a7faebf5dcc818d86ed7c9c67a169f83c8d09574965c91c268bb9f152b0d2b5883f3e102791cfc689c3acfa68873b

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
96KB

MD5
ae997bd62c2d47de2cd0e3e5a50d4036

SHA1
6b399e8761c083de1c74cf11fb38c0710459b92b

SHA256
d6171f5e8eb6e22c90dbfaae186c909cc28e73220c4ee7f83a22c98a393f6ac4

SHA512
857e828ae74af3f7064480048ae17d363d69ba0115eb8feb2e1e0e7c3eb61483c2e14002d6836bea5977ac9c0738ecbf0f2850327a32d2daaa39024f0429df8b

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
96KB

MD5
0ddb3b48e2106ac35402287cd2e31cc3

SHA1
b6cf455552463f53cca3ea2ebfdcd027d69a8762

SHA256
b6964a6a4d0b834b163454ca859c0cbcf667b3742f0238beb450ebb98412c743

SHA512
090e78e07e2d1d1e4b75dc6ff3684bbe5bf64baadf80bdb75f588b82b4af7888aa364741c5cbe6838d994c05a7d0f848c85010910f2e33fc34c08f54d23db5a8

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
96KB

MD5
014428b04304cf3e7e7179fdf4462973

SHA1
2509b35575086ab9af4ca0411ca314cc6eb39c7e

SHA256
468349dfc379ed39a95668808a4ca56707883060f82298c373ed3a93caf27483

SHA512
f130c02b36f0b68a2068e9e3d0fdd5da6812e1b7bbba9a582ba4ef9296fbff3a5e309f9c74ca96530b2e5caab704739dc2c562b722828cea800e999152afa88b

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
96KB

MD5
3d5ecf44f8a34f6aa6f4efdb819f8bf7

SHA1
17ca5d3278209ef688e9da88f2dfd3ac07831b27

SHA256
ae2e42a6ef565091c6b8852469a6ee6e0cb5475b2ea62ca10a16d17946bb5686

SHA512
4368f5d14e6b45ffb27bd0a5fee141949547d35dac30a9d56332fdbddd6f22c21caa2865c17551bf9352d976f4203b7da4968151a5d370f967a2d080a8a9a49b

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
96KB

MD5
5fd4fdafd5a9c314367ccf7b62278ba4

SHA1
e0e1f60e724c050140579d27ae1b8ea436e9b046

SHA256
87bb3611d4ecdaef52c329473d446d7f3ec17aea6fe02121158694e792e3ba9a

SHA512
8a2f71128457c5f0de9e67b421ecef62abe384499fe197694999b67bff4d347baef878b451c002a0bebebd21cecfb3ff43ff79d5a45a0b35500c46590f6f4cf8

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
96KB

MD5
d7e8a0b6e83c100b1ed0ef64ee552670

SHA1
87ab6c4003a53fbc10cdff24aafdf45e569a1f9f

SHA256
45187ee633e6c3c876751b6a7b240a953bacd79f5945b5aa34eeba7894452583

SHA512
91cb0863885b77bb1532988ef443a2811adac4a0dcd320068685c850c5cbac6dd9eb606fe84890bcb9294d1e1b13e9fb4b05f2ad3e8fdc21e797436b87a74542

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
96KB

MD5
b969286efaec5486eeb663e2ed8bd925

SHA1
2060d64289f11da1824a90f210b6d6ce50f8a892

SHA256
3dbad8fc582e4132c6e2f67159dde44cedfc1b29c1a74a0a5ac5f65eab2f1718

SHA512
4f0bea3217cf1f5a5cf3ed4643298119b529f9dea49025ae8e286a1f563d282211352da39e5ef4fdd2ec61c1997f6a7f4513d3c12495e191e2702a55eab55f30

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
96KB

MD5
7568efb167868642a39fa041313969f0

SHA1
89c0df3eab3e10334f544ef0d6747fb8376bcda5

SHA256
d001cb8be01f53c297d0ba5ea69a568475e480dfbf17f71fd61ed5dbb9f26db4

SHA512
851cdcbd21c96d982ce49f9dce260241ade9e53595ca12866cf1c37339b104e9169e6159690b4d2713c7fce18f54605a6449c1de514abf15545c32f721e67906

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
96KB

MD5
6d8d38cfb3e0d638ffe9c057d51746a7

SHA1
cdec0e0dffd4791f43ef33614ec2b6672d6bbd79

SHA256
fc43aaac4628de547554bba6accf782a04eb7b3631e939fd621b1c568ee3070c

SHA512
08c2ccf04593d55de326084a6ea72901bec94c93e27abfab779f02128067f989cbf90e5830a039e986b398fc87408cb88d3cd5769063b0f2df9210739b24b919

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
96KB

MD5
b9b42110811bdcdaa5ed9a956e984b8d

SHA1
d0705b87a1a6a84fa6fff24bf161e686d1367099

SHA256
a8fc1e280babed52b159f11e9b296d63012ad56421ef4340353438ee520c3061

SHA512
d7dadeab1c7b11583615f8236e0c0aacc35378446aac8aae8a54e3dc26c3db28dc0d774d10e1ab6332df247bcb08dee1f45b3b10090dc1861e28544a0c8c345b

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
96KB

MD5
cec389882ec91d2209056beba324b32e

SHA1
34d9f509661bdcbf7480d31da20f5822ad008821

SHA256
a80e4db6d3cf37429efa129ea6b5356d41c8e623910c3088cc9bf49982ad4457

SHA512
5a5bc61bd6be6fa350387a0f45b614e601a5de552983b366bfb190ba898f98816b62fcff6551b054078a6d13f884f4504b2b36fe023fe163aa118a006c1f8d4c

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
96KB

MD5
d7083f1bbb99bc1e1fdddd07f221bc84

SHA1
adff9d0dccf4970aac95a9e1a3b4efdc7c2baab4

SHA256
93c362888ed09f840438f999b3c2eecd89b043d08c300ed388ec6552788b35c6

SHA512
73f03fc465688039e53e9abb5084b37c63e9e1008c10deaf6e8866705ec8c653c19dd51be5a0ce321d67804ca45f5ad17d1555467c73af02ad26a38710adfd9e

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
96KB

MD5
16e78f65c4baf349c60e380423e0a9f4

SHA1
559a6162ef4451de4b197bb0946b12cb1d009064

SHA256
b4993f5194d7161145fdca176a6c9df3052ed3295d6e566e5ac2c535c0b495d3

SHA512
c10af638fba7057114fd193c14adc0cc48289948d5acf0a823e00b7f4eedddfa2e7ab5fedb3a7a6addff13e770c887b25d0f215d4120c25a9f3391af386b6446

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
96KB

MD5
d3f9fe3d461d1200831633881caabbb3

SHA1
8872a3e62f849a5bb2af72b39e3d45c7c6ea6ab1

SHA256
d18e1c72c85cb2fbf3ec9fe4b9c54f32c869e55de47936717d6b3e83163a2605

SHA512
f5c980d951156c32098e941922633bf4ee6ba8d134bb5e268ef012b2200d1a982c9dde2e71a3d0e20801de28f297eddae0f8c1ac9bc6a7748f560ba0d33a40ef

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
96KB

MD5
8ea1e555a6700ae7bc199337a833899c

SHA1
151b3fcae987d36d0f34cfc7a680d91c8ab4fda1

SHA256
e6af9130fce21f97ab5ce8a0e485f178652a9cbbe118a8845e67c069f93fc111

SHA512
fdddcf162b99a9525f89171c00dd9441e3bbb99305164787c8ff5fba7c1daf57522a074339a85c5286ca236c49b9a53ca7da758ef0add0c90c0b7c444f635f15

Download Submit
memory/408-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/672-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/672-502-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/712-73-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/960-505-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/964-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1156-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1232-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-499-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1236-491-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1284-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1400-221-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1512-511-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1548-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-504-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1660-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1732-189-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-485-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1768-500-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1800-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-514-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2200-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-515-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2284-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-407-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-513-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-498-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-497-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-517-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2596-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2748-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2796-516-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2860-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2964-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2976-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3096-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3184-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3388-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-479-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3420-501-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3480-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3584-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3588-57-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3640-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3676-64-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-506-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3836-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3868-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4016-518-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-503-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4068-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4128-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4192-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4192-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-519-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4312-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-425-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-510-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4368-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4396-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4532-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-508-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4552-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4684-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4704-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4716-81-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-507-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4736-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4784-248-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4824-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4832-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-431-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4864-509-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4912-304-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-413-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4996-512-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads