9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 00:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Size

95KB
MD5

59f43fbca4115576efef9021b64a1bd8
SHA1

9d408d1753322cfa6fc1012152471783e88e8aad
SHA256

9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9
SHA512

81dd08a20e61d5d932a64da3335c7d8e6c17f2bad1dee5b71ffca03acb951c84eb25dcc11c47eb8eac69b2b5303b1ecd824cf67fa6c779051e292bd496b86120
SSDEEP

1536:Jr0GH5G+vMP6kwYBbur5eA8qQjDodRQrZ8RVRoRch1dROrwpOudRirVtFsrTpMG8:50GZVf6burl8FweyTWM1dQrTOwZtFKnO

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceehho32.exe

Executes dropped EXE 64 IoCs

pid	Process
3484	Qfcfml32.exe
3932	Qqijje32.exe
452	Qcgffqei.exe
4988	Qffbbldm.exe
4856	Ampkof32.exe
3816	Adgbpc32.exe
4620	Ageolo32.exe
1568	Ajckij32.exe
3084	Aqncedbp.exe
1388	Aclpap32.exe
2424	Ajfhnjhq.exe
2024	Aeklkchg.exe
4412	Agjhgngj.exe
1560	Andqdh32.exe
3696	Aeniabfd.exe
908	Afoeiklb.exe
4556	Anfmjhmd.exe
3876	Aadifclh.exe
4352	Agoabn32.exe
4280	Bjmnoi32.exe
2176	Bmkjkd32.exe
4100	Bcebhoii.exe
1484	Bfdodjhm.exe
3076	Bmngqdpj.exe
3992	Bchomn32.exe
2912	Bffkij32.exe
4320	Bnmcjg32.exe
2980	Balpgb32.exe
1132	Bnpppgdj.exe
4020	Bmbplc32.exe
468	Bclhhnca.exe
4952	Bnbmefbg.exe
4776	Bcoenmao.exe
5084	Cjinkg32.exe
3880	Cmgjgcgo.exe
4884	Cenahpha.exe
4400	Cfpnph32.exe
3228	Cnffqf32.exe
4072	Caebma32.exe
4732	Chokikeb.exe
892	Cnicfe32.exe
2188	Cagobalc.exe
868	Cdfkolkf.exe
4232	Cjpckf32.exe
1840	Cmnpgb32.exe
60	Cajlhqjp.exe
3616	Ceehho32.exe
4924	Cffdpghg.exe
4944	Cnnlaehj.exe
2140	Cegdnopg.exe
1932	Dhfajjoj.exe
2316	Dopigd32.exe
2688	Danecp32.exe
4448	Ddmaok32.exe
1300	Dhhnpjmh.exe
1052	Djgjlelk.exe
2120	Dobfld32.exe
3668	Daqbip32.exe
2608	Dhkjej32.exe
4612	Dmgbnq32.exe
1708	Deokon32.exe
4892	Dhmgki32.exe
804	Dmjocp32.exe
3764	Dddhpjof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dhhnpjmh.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kbejge32.dll	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Afoeiklb.exe	Aeniabfd.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Ampkof32.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bffkij32.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bnbmefbg.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Ldfgeigq.dll	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
516	4240	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdeahgnm.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbgngp32.dll"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokgpogl.dll"	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqimi32.dll"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dhmgki32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 3484	3592	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe	83
PID 3592 wrote to memory of 3484	3592	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe	83
PID 3592 wrote to memory of 3484	3592	9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe	83
PID 3484 wrote to memory of 3932	3484	Qfcfml32.exe	84
PID 3484 wrote to memory of 3932	3484	Qfcfml32.exe	84
PID 3484 wrote to memory of 3932	3484	Qfcfml32.exe	84
PID 3932 wrote to memory of 452	3932	Qqijje32.exe	85
PID 3932 wrote to memory of 452	3932	Qqijje32.exe	85
PID 3932 wrote to memory of 452	3932	Qqijje32.exe	85
PID 452 wrote to memory of 4988	452	Qcgffqei.exe	86
PID 452 wrote to memory of 4988	452	Qcgffqei.exe	86
PID 452 wrote to memory of 4988	452	Qcgffqei.exe	86
PID 4988 wrote to memory of 4856	4988	Qffbbldm.exe	87
PID 4988 wrote to memory of 4856	4988	Qffbbldm.exe	87
PID 4988 wrote to memory of 4856	4988	Qffbbldm.exe	87
PID 4856 wrote to memory of 3816	4856	Ampkof32.exe	88
PID 4856 wrote to memory of 3816	4856	Ampkof32.exe	88
PID 4856 wrote to memory of 3816	4856	Ampkof32.exe	88
PID 3816 wrote to memory of 4620	3816	Adgbpc32.exe	89
PID 3816 wrote to memory of 4620	3816	Adgbpc32.exe	89
PID 3816 wrote to memory of 4620	3816	Adgbpc32.exe	89
PID 4620 wrote to memory of 1568	4620	Ageolo32.exe	90
PID 4620 wrote to memory of 1568	4620	Ageolo32.exe	90
PID 4620 wrote to memory of 1568	4620	Ageolo32.exe	90
PID 1568 wrote to memory of 3084	1568	Ajckij32.exe	92
PID 1568 wrote to memory of 3084	1568	Ajckij32.exe	92
PID 1568 wrote to memory of 3084	1568	Ajckij32.exe	92
PID 3084 wrote to memory of 1388	3084	Aqncedbp.exe	93
PID 3084 wrote to memory of 1388	3084	Aqncedbp.exe	93
PID 3084 wrote to memory of 1388	3084	Aqncedbp.exe	93
PID 1388 wrote to memory of 2424	1388	Aclpap32.exe	94
PID 1388 wrote to memory of 2424	1388	Aclpap32.exe	94
PID 1388 wrote to memory of 2424	1388	Aclpap32.exe	94
PID 2424 wrote to memory of 2024	2424	Ajfhnjhq.exe	96
PID 2424 wrote to memory of 2024	2424	Ajfhnjhq.exe	96
PID 2424 wrote to memory of 2024	2424	Ajfhnjhq.exe	96
PID 2024 wrote to memory of 4412	2024	Aeklkchg.exe	97
PID 2024 wrote to memory of 4412	2024	Aeklkchg.exe	97
PID 2024 wrote to memory of 4412	2024	Aeklkchg.exe	97
PID 4412 wrote to memory of 1560	4412	Agjhgngj.exe	98
PID 4412 wrote to memory of 1560	4412	Agjhgngj.exe	98
PID 4412 wrote to memory of 1560	4412	Agjhgngj.exe	98
PID 1560 wrote to memory of 3696	1560	Andqdh32.exe	99
PID 1560 wrote to memory of 3696	1560	Andqdh32.exe	99
PID 1560 wrote to memory of 3696	1560	Andqdh32.exe	99
PID 3696 wrote to memory of 908	3696	Aeniabfd.exe	101
PID 3696 wrote to memory of 908	3696	Aeniabfd.exe	101
PID 3696 wrote to memory of 908	3696	Aeniabfd.exe	101
PID 908 wrote to memory of 4556	908	Afoeiklb.exe	102
PID 908 wrote to memory of 4556	908	Afoeiklb.exe	102
PID 908 wrote to memory of 4556	908	Afoeiklb.exe	102
PID 4556 wrote to memory of 3876	4556	Anfmjhmd.exe	103
PID 4556 wrote to memory of 3876	4556	Anfmjhmd.exe	103
PID 4556 wrote to memory of 3876	4556	Anfmjhmd.exe	103
PID 3876 wrote to memory of 4352	3876	Aadifclh.exe	104
PID 3876 wrote to memory of 4352	3876	Aadifclh.exe	104
PID 3876 wrote to memory of 4352	3876	Aadifclh.exe	104
PID 4352 wrote to memory of 4280	4352	Agoabn32.exe	105
PID 4352 wrote to memory of 4280	4352	Agoabn32.exe	105
PID 4352 wrote to memory of 4280	4352	Agoabn32.exe	105
PID 4280 wrote to memory of 2176	4280	Bjmnoi32.exe	106
PID 4280 wrote to memory of 2176	4280	Bjmnoi32.exe	106
PID 4280 wrote to memory of 2176	4280	Bjmnoi32.exe	106
PID 2176 wrote to memory of 4100	2176	Bmkjkd32.exe	107

C:\Users\Admin\AppData\Local\Temp\9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe
"C:\Users\Admin\AppData\Local\Temp\9916499c3b91642ebed0129f74e40ec64a97cbf9e6561a24a6cf6147e85c2ce9.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Windows\SysWOW64\Qfcfml32.exe
  C:\Windows\system32\Qfcfml32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\Qqijje32.exe
    C:\Windows\system32\Qqijje32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3932
  - - C:\Windows\SysWOW64\Qcgffqei.exe
      C:\Windows\system32\Qcgffqei.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:452
    - - C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
      - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3992
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2912
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:468
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4952
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4776
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5084
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3228
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:868
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1840
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3616
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2140
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        54⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1300
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1052
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:804
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:4240
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 416
        68⤵
        Program crash
        
        PID:516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4240 -ip 4240
1⤵
PID:4716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
95KB

MD5
2c4e4466577186f87f1d350f583535ca

SHA1
9f4b2be5610828acf3eac7280bb0415fafacc83a

SHA256
6b34f3d91af6dfebb1884654bcacd19c6c1ddd7f593a4fa675c174d5e395fc80

SHA512
3d706c77363704dfa617f42ac824354570048dd174fd619d939777eef051477a6ed607c3dba67afa739a00c8108266f99722bb625b57522a8e38352224a22a99

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
95KB

MD5
6c24a8d6c8e684aa67e872072effb8ef

SHA1
ae4001a709a4c2ba8293e7fe31ed556402569ffb

SHA256
0380c81fbc449384133eb8858480e2f62b9fbd7e7335c0305a21ff7d392af715

SHA512
77842ef11678c4f0640c522d697014f5762b78c227d81c19cf111121a09617c8b9d5a7e01c896a06c74f82aaa119db7637813680359666eef4d7bb95732b5bd9

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
95KB

MD5
9275706edf113382f312f2aeb81615cc

SHA1
06a96f797bc39769bb0aa82950e08b15e8c71560

SHA256
55f86ecbfb3ae6107f1e136e6593453f98c3e5c3226b15b7efe81e03e22d4d82

SHA512
65ebe0626a6c3532c2ca6cf77159dcd1405590933946cdf8e308b743ccd9b4521f99757d1d551f2abadf54c1ba093043321c7f7586082b6e4be2a6b9624f1b2d

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
95KB

MD5
e16e0be3fbd563888424437b0bf3d244

SHA1
b53a90bd6b5c688eafe533c6ce54707fac3a3e95

SHA256
c1183e12138f95de5aa4ea73bea3e4b7d863ec964f5de0ea8e7b99f52a6e06fa

SHA512
ded9d6314943bf87222917678bf89e918b8cbaa0d4dc0d52a373b0867f548ca54475a33566b5dc6d87285595bf61ead4a3606312c8961d0b4c95087682ef44d2

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
95KB

MD5
d87438bc2462846ba51c2e1783465931

SHA1
8a39dfa5e022378908c5c275c47a57375edaedc3

SHA256
63eedf2a6a1721448fa0b00d67d18bbe335280ba5bfa82ce9dd0866b196ba8ce

SHA512
2274df3fc1a8fa11c847d48818aeb243a76e64a7de2a16fc92b04c57bf64c2372655eefdb8d11e479022366ab1c92928ffa0efd96c094eed6078910e4d6695b7

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
95KB

MD5
11904f839fce69e9894cb00dd60aa0f9

SHA1
6f70f2be085594052a8684fa95fa5d85ad8259f6

SHA256
4438d6e33a5b319c41750a98a71de657df859ab3c5f505e268b62d84d7b55f2b

SHA512
066e6a3b9047a3005731737bf5b2bef04f966a4d719b59730170ed10a4610f9d8f7551464b2c18452f76ae39e3978c4f9c8556791cac1f0fefdc3bf61ff4fc9e

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
95KB

MD5
1ab66d69f613c5b82b03f1a507070a0c

SHA1
1035f8faf8eba9d667525ba32c98bcc0120833a6

SHA256
a5f4c0df1cb540fe9b9e7640ad093f9e82c5ddf233904fe08bdd5918c86a9f6c

SHA512
8277ae832194e0202c4e7caa1fa8dc11d18ddcbe966659f5ee7082a6a670b9f1dbcf1431350b3402dd199a87f1d028839fef0c0768f1bde0142701bed677379a

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
95KB

MD5
f93f9d0cfa49a5e1e4b8d2d528460a5e

SHA1
9c25cebcb5df11d619c8c0c6494f02343fd04a47

SHA256
79201f8c9ec3c0f35e3e7cee9dc1633cd22c45357cd041371201aa07885ad071

SHA512
9d65db4f87eb698a5a79c1ea4228da7f5a4513a79098e9725dbe6148bec7e5192334af8440d2335b97b060c68f13bf913cdcbb96dc5005561e9920557ac274fa

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
95KB

MD5
cac75769ec58e3021852360f5a030674

SHA1
455338f33e9135399273457d34bdd388ffa0eb9f

SHA256
7261c46179434c72fd1766b7d4a380128123958fcc9ca89706ef356c2d750c37

SHA512
81e12612609f16764639192ff76a652225e4c5e0a72c3b8ca2c3b925378852a1c00e4631f98da9903c4ec7ff5abc777d9f8601604b8beb412fd8c32ff8f15f68

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
95KB

MD5
7a3564d93c03d1b666ed0146fed8f38f

SHA1
cb96fe895e3f0bdfd431fde9199a2bd585250aaf

SHA256
8f8e65097cad5ba8ef0a97598cbf515f88e9001638a2f91c65835ca84c8cb0d6

SHA512
978419c15bd7d661654fbac737b26d753e9f8b00000298975207c7d735a3f2c317a29fb1e86d572f7b2875676ae3b382f889197216f782673d79e099246a16a0

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
95KB

MD5
8d6ed2474a3be9443435517e69c4308a

SHA1
4e611f45d4c4077220ccf0b21f486f6070e79497

SHA256
f0cd0ee0756ed2957764ffeab18443b833769778de0dabcbb3f4b1bf38452eb6

SHA512
47c7fb3369cb5c29647f27af4b586ab1952f71fdba24fcfc9dc6fb9bcb9bd8a1dd3a524b02769d69a12c8abe8b013c22e69a1658c1a43fb257309213c5e210b2

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
95KB

MD5
6339d65b2f8cf6c7dca593528e3e936f

SHA1
56c958f74b0ef909ea4d3cd5a40bba99fc16bbb7

SHA256
1a95a208cef14f81205b79c8ed9fb90800824c4b9b2d76ccd156081e08666b91

SHA512
8f537d7977406e51e1a9c549b5bc7a958b471d6c0694eff172f587f99c94aeee7d12a8884cad773da4895d197a64ab6d5e4ced88971f699a7997c7b21f88335e

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
95KB

MD5
18726e2666b5eba614c0da0951400bdc

SHA1
dd40526cc0a5bd864b88d906ad506a28c9ac6533

SHA256
69c68dfbe8085edafd720f9cf8f1d676161bb23eb700cc76d8cb734c4b91a632

SHA512
206d1aa6dc137a3ad644f7cd529ed60b2b420b788d7fa189d8a400b809c090fea1031f0a6c9d4476949b062a94c6b691d0d4c607e3cecb28206e9b27c53f9d6f

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
95KB

MD5
89a8deb1048ea45cf14c65871400e3ba

SHA1
941953aef9d10346b5c3ab861e188628c07a8e41

SHA256
6dc090bb3adc9ec862470599d05717c46d9071ad8836d425c61dbfaa349fd039

SHA512
123df83364a15241da362b3c0978ac2ed521c8a866e52024f5864a032a4ad93fdf8ed10e622b930d0a4571f5556e74ce3092ad7e40af544414f45e33a82b8c50

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
95KB

MD5
741f8136352146890047b95b45f63a7a

SHA1
3e7dc0c3ca171837a3c290302bcabc0c8b9be381

SHA256
05da3757d1bb57ceb9a96b1b5d57394a52482b785c13feb7eff430457444866a

SHA512
ba8f608f27886ef8a94ce13cebc8d86e214b815bde7fcd7671693ecc088fb3907f8a8e8899a3f925ea5117cd88a87236e8398790e74169e6a755493283b24851

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
95KB

MD5
558cf5822f6a71b1562ca37fee890fbb

SHA1
306cdd87c748e936cbadbbd12625078c28b54828

SHA256
6a84e7f1162ea018028de4e02ad938f07254318ada3e45e1c90924dda37541a4

SHA512
c77d2166144cffef0f50e667111af8c17a20482281809d5295ace0d01fb48f5f08682b47e968905e10a86c44dac5316d52f8245fae4c75ee5d92218d22bb83be

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
95KB

MD5
0c9a639d3fb3ae6e1a1bd3aceb1a2357

SHA1
2a5366143d467702e51141c93ffc6bed872158c8

SHA256
84da98654b2034294fbc0624b64e239b76f50ff3ee10ba4747cdae37c6db7022

SHA512
4be05bad2ea092aff008de7f272850e5e4d7a6d0e4076af49408a84af91720472bc8f9201f64bf9d2b13cb3b203007060fb1235d92c1f8b35b222f8ea448fb68

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
95KB

MD5
2d4bcef9c82ce70f96a16794334d5bae

SHA1
6153c17279b61efbcb5f382a4a0b7cb469fcbd72

SHA256
c1d996d0ed0a28a466611d30fcb3e889632f71f991abb904bc26182cf52dd1a4

SHA512
0b55634289768354da252713d8a41ae3ee8ac7ec8981e0e93d1807b43eab0808e5adf3f7fdde587a5446c66a0c617b2553eb0cb7c49e42b573585dab097db7cb

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
95KB

MD5
d460864c5e6103c8942726f08e6fea97

SHA1
bb6a20375d6165fdbd4ab9e5f2289ecb4e80ae57

SHA256
90dd4bb105b0e6bd93ff76e51a17aed28f6eee7642deb8a96d247633a9cb4aed

SHA512
e333350372d7f3f8b16f1abbdeae72cb56d9a8723ed471f5d425e7c158c10be50ef9dd1de739ceac58b2bbed24d4211a1aad304a37d6614fd81fdb45ac1c24e0

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
95KB

MD5
a32715c60363929f41831e8db6dd1c18

SHA1
342128faad5ba16f5288263b8e4515514a671a7d

SHA256
327e715126ad61481659ace948db27602fe06ff84292e977b4f0ad9f7efa1e7e

SHA512
c4cf8b69f0bed8301d5131dc6f664f0608c65a0bfeaeed4347a0bca65fedf85a5dcfe604ae4f3961cd95e883e8a2556530aee1203ef7cf8eb017baddb9c5ea6b

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
95KB

MD5
01a6376dac1534edd566c06d33369490

SHA1
9e210618b5433748c6fda525e8f4899b9d3cf494

SHA256
c74114d633d35f9b774d53918035721adc1d6e5cf899c2819ccb942aa378eda7

SHA512
ef6ea6dda2b904d7076816fe0b1ba24ea5784958f73df9e4c7ec61f0655f3acecc2fa0521304c6284f5a5e5629b60822e3250c6da8a618503a70059010f246c0

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
95KB

MD5
afe0fdb1ab240effada6a187726bab40

SHA1
b9f6463647297df65986465404e7ff0f7de4ab00

SHA256
bd74c2730cb7328a8967fbc2f0c9ddae70497e2222f6695a68ba18df9db5a5a7

SHA512
bf7cd4c2a8e555f368e79052e16e2d1fbabda55ebaf43808c075f4d7241ceba6eac321e0508825889d59d89869ab3026f81408711a14254d30fc413fccd92e5d

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
95KB

MD5
3fa7acb6abba00b6ba5f2ec739032d26

SHA1
6df265a8f228b17ec8902852d371648ac94ff50f

SHA256
03c4ea49b813fe08539b1055aa0feab15a4f53474bc79327b1103dd7339128d8

SHA512
a31c637a24e8c80dd81678b7cb2d53806fd39c3ec9e1aa989738a0bcd081083e9bc68c3608b4d45324a183d815d9d0de9211f892c6ae3b7210518e0eb93ca5a4

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
95KB

MD5
ee2dbae7cc8a917821da7ebaf6254b7d

SHA1
a7c535fc4729685c9a902271911a1375ab43bf7e

SHA256
a82655c89f3f6a1835c4383d82440e61de8d238737dc1439e66ff9103d46a837

SHA512
44d3abb4dc934becf299cad5b895781b9404d7be1573fb1366b5c69c555b5ddb909d7d2496dccb261a76cfb221487ff766552a31ae5516eed918be1c5f64da4a

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
95KB

MD5
80655d55187470bc6e52b63dfb8c195c

SHA1
2bcf2f13829ace32866accc8a7021f16911bb632

SHA256
33e0c15b0d80526317bbf1d51614f9d25fcfd4774f210fd73c10e83ff9448086

SHA512
7ce15b91a07240fa02481c3799c2231081fa3d3f176aa259f598f227186e7b5c942ff70b3970b1f517077481b79950f55ae61451fe24907b52d4c3c7a68fcd3f

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
95KB

MD5
c879380a4452bc619363831fab78e855

SHA1
eba5ae5988a007b574ef706a4b5d162c4a895085

SHA256
9bc0ea4cfa9a5f61526f1508f8e3ad187a2097bbe541c9ee23d07779d21d6416

SHA512
072fcfa9289e8ed053452ddf42da4233b109b5df06fb2874f282e1273bbe4910a885983088eb991b0f183ebdfecbdcf51f8d4fa9214040410f0a30f110803414

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
95KB

MD5
53533082919a4f5962c39cebc639078f

SHA1
31154fcfe26478e4d416e57c07c6daa10ecb37b7

SHA256
5a2f75a1f87ab905c4e0fef8bb2dffca1367cadd58399b601b286436adb86039

SHA512
0c6ce236ee80c2a750f1c77792d22b69d0a3d943795b1c8f27e79340436106f1f83b344c603b45deda72e1ee68bf22c79a6d617aa3a2fc3ee307de6ae92d0803

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
95KB

MD5
618d2d34c5fd80ed5c105e095e9f9f27

SHA1
1553bdd83e3e88c80f0e89916426ecc1196f2b2f

SHA256
e39d536dec6f8b1706d8168410c15f66c5d6e8bf541ebae78d62d5c3fd1e0194

SHA512
bed6345d184b900a8f2e6df414efb6ff090d8708ce89bdc9291d6de31430707a0610f29821896df8a02faad92b1c718d0170c4c14468c77822d32b84b3eb6b16

Download Submit
C:\Windows\SysWOW64\Daqbip32.exe

Filesize
95KB

MD5
3249137a9712117573061dc928fbcf7c

SHA1
924d0d9667fa5f59c73b598c44e1f5a9b5a2ebee

SHA256
08beca5a01a557f4906e2071ae37b58bcc0a960cb6f8502e9597a438f0e33b60

SHA512
334f9a90f7d4f8d23b2135ebcdb461542bede531f888ee32b031f8ecc5d17e3e7abe21672932a0c530b9f2d8b4c84d75e58d882bfe452d67771d4356b6745faa

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
95KB

MD5
af809d779da60a1591a63377a075a4af

SHA1
5cb10192adb0fe6ea13f4c1af7478c2e70bcc947

SHA256
6ffc8bfd981c4d4395966bd0775dfd064b207d99b8607fd8a9764a78e8d8d95b

SHA512
c5815c14786ddce7ea33fe6e8aef5809b6e92cca70e2a6bc68dbe2805ecfb912bc99ced550b01aa8f8e1cab8892f70d28f1187a583818755c3450e8427d520bf

Download Submit
C:\Windows\SysWOW64\Ehmdjdgk.dll

Filesize
7KB

MD5
2b8a82185eea8e6eeebe12689702103f

SHA1
d09839e9c43068ab4239f967b6e9a2b72ee679cb

SHA256
8faf74267606f07fc591b629aa8b4cf1bc86d686e0893fabc3b7550da7b80f0f

SHA512
1a474a71004c969db4bb16b12c2bb71e5e65fa21016602536cc9d68a56c58e1cc8add2f4c6014b3c9ecfd5fdc51e32ba43d4a5cd61b1ffcc5e004c0ce14de9d1

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
95KB

MD5
d5c785219f3b286db645daf805d28e5a

SHA1
b7b03e0e65e9cccf7fc8d582b40cf209c1829418

SHA256
9082eadbb6db86cf26e1380339e5e856d756cd9b65a963e6a6efe46fb5ca1fb0

SHA512
8075210fb0b70009e28a25a1d3ceaa0bf19b218121cc1a907a9e60db7665da3a19b5a8b774bfe343916b8d0f4a91edb2fd585ebe380e67c4ff103169b9e944ea

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
95KB

MD5
29af7e9811794ad35a99f55db44b1f52

SHA1
bbd291a9043c92800ea229faef34862f60700460

SHA256
34346af6491e993ee9f4cdca466d52c480dd57810c7daffa94f1f592d718511c

SHA512
5ace6a24ab330aae6db6d00c55ed808305e75cb8c90cb01459397f16d10c3d00bd869cab9016354a37965bd7361810da7bb4d75922b5e036962adfe5d5f936f7

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
95KB

MD5
accb58e5327a29f055c5842056d231d8

SHA1
afed881934b4a818d6c1613d86a41abe1612b26d

SHA256
a41e096234a3567f6a1d124a5ab34758b4c654eddb81c37f132faefa560f17af

SHA512
9a4eb2ba62162ad95a338581ceea94b4ed574e1cd1065627fc1f93162a800d021ab7f87932e9da8be866b89989c8950f5c001ee097d0e61e072e24274c2c80f2

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
95KB

MD5
c15b3ccea881d7737f93bc3da9ec5984

SHA1
9357c519a282e48d76094e358dfc69d0b8a332ac

SHA256
45c55a3ae2cbf488734046a8ebd21690ca1a4353a626b141250d6cc5237c5c2b

SHA512
856424cccd15a9d6302c3a039ef073010fc1290fbdd5ee2c21018857b22e4779f36c9c33a2dfbe28a86260c1598c7702d7a083078ecc68c932dcaf1c9fb4511b

Download Submit
memory/60-376-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/452-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-340-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/868-355-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/908-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1132-326-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1388-170-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-197-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1484-285-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-205-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1560-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-151-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1568-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1840-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1932-410-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2024-99-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2140-403-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-268-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2176-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-348-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2316-417-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-90-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2424-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2688-424-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2912-306-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-242-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2980-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-292-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3076-207-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-71-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3084-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3228-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-8-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3592-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3616-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-215-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3696-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3816-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-241-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3876-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3880-300-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3932-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3992-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-333-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4020-261-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-327-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4072-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-277-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4100-188-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4232-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-260-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4280-171-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4320-239-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4352-250-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-313-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4400-382-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4412-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-238-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4556-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4620-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4620-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-334-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4732-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-354-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4776-286-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4856-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-307-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4884-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-389-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4944-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-278-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4952-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4988-31-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-361-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5084-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads