f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Size

93KB
MD5

fcc932b433ccae54465e46c2befdf820
SHA1

055a6866e6bd6a10706473718c946a7d033a2f1f
SHA256

f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01
SHA512

5ac7d83d5d4b77765598e00b71cf572d5d0af54d7d1462b70f3a9dbe4063937ade555f5bc43abf785056777d9640c3d55cf04b5be973285eb0ebff45af90656f
SSDEEP

1536:XMWAAMdD+jnJx5RBjjiWm9si2bJc0LO1VSz9z/YJjaesRQvRkRLJzeLD9N0iQGR4:XMW8QzhiWmNYROqz9zAJ+1evSJdEN0si

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bpqjjjjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baepolni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmdkcnie.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajjjk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdjblf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknnoofg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgdemb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajdbac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dphiaffa.exe

Executes dropped EXE 26 IoCs

pid	Process
536	Ajdbac32.exe
4780	Bpqjjjjl.exe
828	Bfkbfd32.exe
4564	Bmdkcnie.exe
2328	Bpcgpihi.exe
4956	Bjhkmbho.exe
1920	Babcil32.exe
1460	Bfolacnc.exe
2288	Baepolni.exe
2240	Bdcmkgmm.exe
4820	Bagmdllg.exe
3872	Bgdemb32.exe
1672	Cajjjk32.exe
216	Cdjblf32.exe
2044	Cmbgdl32.exe
4244	Ckggnp32.exe
2896	Ciihjmcj.exe
3648	Cgmhcaac.exe
4800	Cpfmlghd.exe
4696	Ccdihbgg.exe
1624	Dinael32.exe
3244	Dphiaffa.exe
4104	Dcffnbee.exe
5044	Dgbanq32.exe
3924	Dknnoofg.exe
4472	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Lpphjbnh.dll	Baepolni.exe
File created	C:\Windows\SysWOW64\Dcjdilmf.dll	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Mfnlgh32.dll	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Bdcmkgmm.exe	Baepolni.exe
File opened for modification	C:\Windows\SysWOW64\Ckggnp32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Babcil32.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Babcil32.exe
File created	C:\Windows\SysWOW64\Gfchag32.dll	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dknnoofg.exe
File opened for modification	C:\Windows\SysWOW64\Bfkbfd32.exe	Bpqjjjjl.exe
File created	C:\Windows\SysWOW64\Mkddhfnh.dll	Bagmdllg.exe
File opened for modification	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Qahlom32.dll	Dknnoofg.exe
File opened for modification	C:\Windows\SysWOW64\Bagmdllg.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Ciihjmcj.exe
File created	C:\Windows\SysWOW64\Ajdbac32.exe	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
File opened for modification	C:\Windows\SysWOW64\Ciihjmcj.exe	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Ajdbac32.exe	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
File created	C:\Windows\SysWOW64\Bjhkmbho.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Kdfepi32.dll	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Bpcgpihi.exe	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Fekmfnbj.dll	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Baepolni.exe	Bfolacnc.exe
File opened for modification	C:\Windows\SysWOW64\Cmbgdl32.exe	Cdjblf32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Dodebo32.dll	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Dinael32.exe	Ccdihbgg.exe
File created	C:\Windows\SysWOW64\Dccfme32.dll	Ccdihbgg.exe
File opened for modification	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Dknnoofg.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Qecffhdo.dll	Cajjjk32.exe
File opened for modification	C:\Windows\SysWOW64\Cgmhcaac.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Cpfmlghd.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Dgbanq32.exe	Dcffnbee.exe
File opened for modification	C:\Windows\SysWOW64\Dknnoofg.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Pnbmhkia.dll	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
File opened for modification	C:\Windows\SysWOW64\Babcil32.exe	Bjhkmbho.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Bjhkmbho.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Baepolni.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Bdcmkgmm.exe	Baepolni.exe
File opened for modification	C:\Windows\SysWOW64\Cdjblf32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Cpfmlghd.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Bkodbfgo.dll	Dinael32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dknnoofg.exe
File created	C:\Windows\SysWOW64\Glofjfnn.dll	Ajdbac32.exe
File created	C:\Windows\SysWOW64\Elekoe32.dll	Bmdkcnie.exe
File created	C:\Windows\SysWOW64\Kbpkkeen.dll	Babcil32.exe
File created	C:\Windows\SysWOW64\Bgdemb32.exe	Bagmdllg.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Bpqjjjjl.exe
File opened for modification	C:\Windows\SysWOW64\Bjhkmbho.exe	Bpcgpihi.exe
File created	C:\Windows\SysWOW64\Bagmdllg.exe	Bdcmkgmm.exe
File created	C:\Windows\SysWOW64\Pknjieep.dll	Bgdemb32.exe
File created	C:\Windows\SysWOW64\Lljoca32.dll	Cgmhcaac.exe
File opened for modification	C:\Windows\SysWOW64\Bmdkcnie.exe	Bfkbfd32.exe
File created	C:\Windows\SysWOW64\Cdjblf32.exe	Cajjjk32.exe
File created	C:\Windows\SysWOW64\Ccdihbgg.exe	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Efoope32.dll	Cpfmlghd.exe
File created	C:\Windows\SysWOW64\Bpqjjjjl.exe	Ajdbac32.exe
File opened for modification	C:\Windows\SysWOW64\Bpqjjjjl.exe	Ajdbac32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
316	4472	WerFault.exe	116

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjhkmbho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgdemb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpfmlghd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmdkcnie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpcgpihi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccdihbgg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfolacnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpqjjjjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdcmkgmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagmdllg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjblf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajdbac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknnoofg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfolacnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll"	Dcffnbee.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbanq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Babcil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpcgpihi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoope32.dll"	Cpfmlghd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glofjfnn.dll"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dinael32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baepolni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elekoe32.dll"	Bmdkcnie.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll"	Bdcmkgmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdjblf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajdbac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bdcmkgmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll"	Ccdihbgg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmqkimh.dll"	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkbfd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpfmlghd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fekmfnbj.dll"	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiplni32.dll"	Ckggnp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dphiaffa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfolacnc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Dinael32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll"	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknjieep.dll"	Bgdemb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjhkmbho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bagmdllg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dknnoofg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpqjjjjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bpcgpihi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qecffhdo.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Bjhkmbho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll"	Babcil32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 536	1652	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe	91
PID 1652 wrote to memory of 536	1652	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe	91
PID 1652 wrote to memory of 536	1652	f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe	91
PID 536 wrote to memory of 4780	536	Ajdbac32.exe	92
PID 536 wrote to memory of 4780	536	Ajdbac32.exe	92
PID 536 wrote to memory of 4780	536	Ajdbac32.exe	92
PID 4780 wrote to memory of 828	4780	Bpqjjjjl.exe	93
PID 4780 wrote to memory of 828	4780	Bpqjjjjl.exe	93
PID 4780 wrote to memory of 828	4780	Bpqjjjjl.exe	93
PID 828 wrote to memory of 4564	828	Bfkbfd32.exe	94
PID 828 wrote to memory of 4564	828	Bfkbfd32.exe	94
PID 828 wrote to memory of 4564	828	Bfkbfd32.exe	94
PID 4564 wrote to memory of 2328	4564	Bmdkcnie.exe	95
PID 4564 wrote to memory of 2328	4564	Bmdkcnie.exe	95
PID 4564 wrote to memory of 2328	4564	Bmdkcnie.exe	95
PID 2328 wrote to memory of 4956	2328	Bpcgpihi.exe	96
PID 2328 wrote to memory of 4956	2328	Bpcgpihi.exe	96
PID 2328 wrote to memory of 4956	2328	Bpcgpihi.exe	96
PID 4956 wrote to memory of 1920	4956	Bjhkmbho.exe	97
PID 4956 wrote to memory of 1920	4956	Bjhkmbho.exe	97
PID 4956 wrote to memory of 1920	4956	Bjhkmbho.exe	97
PID 1920 wrote to memory of 1460	1920	Babcil32.exe	98
PID 1920 wrote to memory of 1460	1920	Babcil32.exe	98
PID 1920 wrote to memory of 1460	1920	Babcil32.exe	98
PID 1460 wrote to memory of 2288	1460	Bfolacnc.exe	99
PID 1460 wrote to memory of 2288	1460	Bfolacnc.exe	99
PID 1460 wrote to memory of 2288	1460	Bfolacnc.exe	99
PID 2288 wrote to memory of 2240	2288	Baepolni.exe	100
PID 2288 wrote to memory of 2240	2288	Baepolni.exe	100
PID 2288 wrote to memory of 2240	2288	Baepolni.exe	100
PID 2240 wrote to memory of 4820	2240	Bdcmkgmm.exe	101
PID 2240 wrote to memory of 4820	2240	Bdcmkgmm.exe	101
PID 2240 wrote to memory of 4820	2240	Bdcmkgmm.exe	101
PID 4820 wrote to memory of 3872	4820	Bagmdllg.exe	102
PID 4820 wrote to memory of 3872	4820	Bagmdllg.exe	102
PID 4820 wrote to memory of 3872	4820	Bagmdllg.exe	102
PID 3872 wrote to memory of 1672	3872	Bgdemb32.exe	103
PID 3872 wrote to memory of 1672	3872	Bgdemb32.exe	103
PID 3872 wrote to memory of 1672	3872	Bgdemb32.exe	103
PID 1672 wrote to memory of 216	1672	Cajjjk32.exe	104
PID 1672 wrote to memory of 216	1672	Cajjjk32.exe	104
PID 1672 wrote to memory of 216	1672	Cajjjk32.exe	104
PID 216 wrote to memory of 2044	216	Cdjblf32.exe	105
PID 216 wrote to memory of 2044	216	Cdjblf32.exe	105
PID 216 wrote to memory of 2044	216	Cdjblf32.exe	105
PID 2044 wrote to memory of 4244	2044	Cmbgdl32.exe	106
PID 2044 wrote to memory of 4244	2044	Cmbgdl32.exe	106
PID 2044 wrote to memory of 4244	2044	Cmbgdl32.exe	106
PID 4244 wrote to memory of 2896	4244	Ckggnp32.exe	107
PID 4244 wrote to memory of 2896	4244	Ckggnp32.exe	107
PID 4244 wrote to memory of 2896	4244	Ckggnp32.exe	107
PID 2896 wrote to memory of 3648	2896	Ciihjmcj.exe	108
PID 2896 wrote to memory of 3648	2896	Ciihjmcj.exe	108
PID 2896 wrote to memory of 3648	2896	Ciihjmcj.exe	108
PID 3648 wrote to memory of 4800	3648	Cgmhcaac.exe	109
PID 3648 wrote to memory of 4800	3648	Cgmhcaac.exe	109
PID 3648 wrote to memory of 4800	3648	Cgmhcaac.exe	109
PID 4800 wrote to memory of 4696	4800	Cpfmlghd.exe	110
PID 4800 wrote to memory of 4696	4800	Cpfmlghd.exe	110
PID 4800 wrote to memory of 4696	4800	Cpfmlghd.exe	110
PID 4696 wrote to memory of 1624	4696	Ccdihbgg.exe	111
PID 4696 wrote to memory of 1624	4696	Ccdihbgg.exe	111
PID 4696 wrote to memory of 1624	4696	Ccdihbgg.exe	111
PID 1624 wrote to memory of 3244	1624	Dinael32.exe	112

C:\Users\Admin\AppData\Local\Temp\f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe
"C:\Users\Admin\AppData\Local\Temp\f80de9b1780c03cfd79ca46b26e9accfc88b946234b19f4b7378dd45b2678c01N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\SysWOW64\Ajdbac32.exe
  C:\Windows\system32\Ajdbac32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\Bpqjjjjl.exe
    C:\Windows\system32\Bpqjjjjl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\Windows\SysWOW64\Bfkbfd32.exe
      C:\Windows\system32\Bfkbfd32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:828
    - - C:\Windows\SysWOW64\Bmdkcnie.exe
        
        C:\Windows\system32\Bmdkcnie.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
      - C:\Windows\SysWOW64\Bpcgpihi.exe
        
        C:\Windows\system32\Bpcgpihi.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Bjhkmbho.exe
        
        C:\Windows\system32\Bjhkmbho.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Bdcmkgmm.exe
        
        C:\Windows\system32\Bdcmkgmm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\SysWOW64\Bagmdllg.exe
        
        C:\Windows\system32\Bagmdllg.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4820
        
        C:\Windows\SysWOW64\Bgdemb32.exe
        
        C:\Windows\system32\Bgdemb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Cdjblf32.exe
        
        C:\Windows\system32\Cdjblf32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4244
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Cpfmlghd.exe
        
        C:\Windows\system32\Cpfmlghd.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\SysWOW64\Ccdihbgg.exe
        
        C:\Windows\system32\Ccdihbgg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Dknnoofg.exe
        
        C:\Windows\system32\Dknnoofg.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 412
        28⤵
        Program crash
        
        PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4472 -ip 4472
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1036,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=3676 /prefetch:8
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ajdbac32.exe

Filesize
93KB

MD5
60b2a7b30f2dffe01cf593b91cd9a801

SHA1
ddb704c254a00348e0073cee8a4f93175e043e0f

SHA256
44e9f9b65480a73d8e38458c1f0477d5a80bcab8c7cbfb18c7ea28fe9b97a79d

SHA512
0e9d05c2d688106479c27b14fc6ef3a9f6c5cee075d3fc75d58ccd293e31eb7f6a5527aa0c81fc59f3c8e3cca2800375deacd501d6fda854db4ecbc556533a9e

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
93KB

MD5
265f6f27c66cf4fe47bffc57699cb5cb

SHA1
e384d1b8b90516168fde2bcc412486211d66dd71

SHA256
7bd7ef0aece41fd23f2d925864fb064d4639012fa7f18f631f1fa1d56325951b

SHA512
c35caea1a6dfc0e214373a20bae6e3614f2f813eb8b11a1557b9a7354df3ea98b0ea6d8b1b59a776cb07cbb24d03e5cc9ac6a5a2cf5f6177278db04d15fb4672

Download Submit
C:\Windows\SysWOW64\Baepolni.exe

Filesize
93KB

MD5
bceb19055739954cd7d636d8fcd274ae

SHA1
dbb633bd8e60e8e9bfedf61c5a6576dfd3cec9f4

SHA256
3964dad3236363d3f273427794ed9c3599e2ef8e95a6dff298fa6a87c56785ca

SHA512
86bf47ebfce9a3d12316840a15e3bce9920d189ce395b2b0fdeec952ff4dccbeb225eed757e44e6e836008d939b2aacf9f70fd3bf1d6df7223bdd75688da2efc

Download Submit
C:\Windows\SysWOW64\Bagmdllg.exe

Filesize
93KB

MD5
cc5416d076683dde16cb3691b3d13123

SHA1
c45c132b9fe2c9b7a5ca6bdff41d0f7e19f0ae28

SHA256
8da2b50b018196529b82e8b5ff7f0488042e915333928f9485ec341195a7cf40

SHA512
b17e0bb79918cfcb172455e8f23bb148841e9073994c7d4a12b54fc8b21e0f4e5fa2d1cc4ce829a506236fa36b4c700c70bf4753454d3674b542d29529124c57

Download Submit
C:\Windows\SysWOW64\Bdcmkgmm.exe

Filesize
93KB

MD5
8f9606db05877175a36f63d6f8d70750

SHA1
6966b7955e6520beff6dc40baaa5656e83180fd9

SHA256
56ae64b5117cdc7417f39872a0697bdc59bf0f5c4815d80588c75bb51c2cf739

SHA512
ec8b6b6b1ed2b60a3da34c98aa17a06f490f167c4f1a25e0d9c3928c28911dfc9dac8f02763d73a052d4f0676db212e28334d170dcf264c6dc31525a3b5b6402

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
93KB

MD5
c669c08a4e86ddd7458b3d5e2ce6eba3

SHA1
d1420c10a3b7e8e7e5afa64342500a3406d95567

SHA256
262c29ac9722c26551968963c953d48969cb6bd4d085a976a13363319fc53a13

SHA512
91350af5b05fc0818e9d5b847b56def895eccf1ef8e523a30e81e6715661d89e688ccb3c6355b0a2aeeb4d7b39ac773767291ec2b694d900620f9bf16882a0ff

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
93KB

MD5
23aec44b88eed0022edb50933cb93fb4

SHA1
a19b80bd7c0295d18028df27dfd04f01afd5a718

SHA256
b0c4410fcd1bc2a9055820be70f1d824f09de1af7a64a79dc380ffdbfcc35274

SHA512
0c645b69800abf1a841c53116285f780bdeff5ff3f08171a590e014c8ef08111d01c8dc71871d7309deaa54162d28e2b10bbf86c68c45dfe8f6e290171b13075

Download Submit
C:\Windows\SysWOW64\Bgdemb32.exe

Filesize
93KB

MD5
ee9d7bfb0fd193e2025684ae59118dd2

SHA1
adece31e12b12e1313e7a97c3bc056ec87f4ead5

SHA256
0b3f4e59d2d844a7c835ccb190fa865d6a42fce0885aa3a1617635be5809cbe6

SHA512
81263c43f8b55fc7a172f68be98d0ef63d07fb0392f78b7c71b8b7e2fb0e35287c7d22a00e6a112e374f776b426c28dbdb6bc275ed79266aa340e8a7a4aa1b40

Download Submit
C:\Windows\SysWOW64\Bjhkmbho.exe

Filesize
93KB

MD5
acc7b484002155778c4531bacd7f5483

SHA1
3cb68eb6375d11113308a6f86fbf1d676a2aec50

SHA256
bd15015f624d4920c23d9078f7a39ccffc633f4da00cbb36bc51d7ba1a51e7dc

SHA512
90a70a7a5782294a7ab217882023f4663412a384f05be746133c3848e1c75955624801547e5e2ee266f9b3fa8ebe5fca74a6efb4f69962bd60816d37d68d1660

Download Submit
C:\Windows\SysWOW64\Bmdkcnie.exe

Filesize
93KB

MD5
0252c1d45b00e451bd62414b3e37f01c

SHA1
a39070164ad415237bf4d3c7b518a747177f226e

SHA256
6e14dd381e114ddb9f64948b412e8b4e19c3a178fa2514a29252a3275d022670

SHA512
404e97e2cd36b918003549aa6a6f108a1adf80af811edababced57b368408b05068e2931455aab218c5583ba130e645e48f3861ec4b5356fa654b96fe6323d7e

Download Submit
C:\Windows\SysWOW64\Bpcgpihi.exe

Filesize
93KB

MD5
5b4818fa98a98c87d752c2a0a4a291bf

SHA1
70ec71e761b2164dbf489d8bbc9cb0502db9ffd5

SHA256
8a0f113e935763972ee87fdacc89c7d946487685f3685d1afb9cb9c189e98c7d

SHA512
e117b0772788ed1c669b56355e432ac8f54e49aad08c2ce4c360b3bceb929bf04cc07fec7dfcd9705a7a1c03160236a3c004fccbe42ba570af7cd418f4f65674

Download Submit
C:\Windows\SysWOW64\Bpqjjjjl.exe

Filesize
93KB

MD5
aad9b99228358b6ee0b53f8917362b91

SHA1
a32fd56d4bd4afc9d5b7e86c47b1a3f6e1260577

SHA256
0e1654a998881377b80a3280d2cadd18db95e14bcbc2799d41548e2148138268

SHA512
153160ec9801b5cbed8a777edae624f2032adb9a5f2488a73b9b67d819a5544e2395ec2a02cbdc9076205e8c6dc44ae348a5b4add4e5a522ce47ee1a9f343323

Download Submit
C:\Windows\SysWOW64\Cajjjk32.exe

Filesize
93KB

MD5
7455f0bbd328a3969069e02ac500ded3

SHA1
e0599270cb08f5d5724e5879fcc22c6892e449e8

SHA256
eb34b3c53b33cb2468bd9f53b560eb82aabcfc5925b208198e9be841049e16b1

SHA512
93893a0b6f8a0efc771b4dc10ffc0fda087bcc56dcb360d3bc22fcd4e0d6f5acd301fc7f3ed5ebba626df60ba548e156b24019c02d1fe7110fa10148e5ca263f

Download Submit
C:\Windows\SysWOW64\Ccdihbgg.exe

Filesize
93KB

MD5
aff9abd92119dceea99143f5a8ba4d82

SHA1
0d303ede71c3993233cc60757299b1e064fa0346

SHA256
d7af8d5466218efc8db7e00a93af3b43224655c086b97010fe13136d7d1d7c98

SHA512
9543bb5030f20891721509598181aa0251fb56446878a688c0ae3f47860dce84665d65d3152780e5c090ad05bd3e3f0bd6b97fbb8c96644949a0aa98e7df350a

Download Submit
C:\Windows\SysWOW64\Cdjblf32.exe

Filesize
93KB

MD5
5564e852fac527af0479ee774e77eca8

SHA1
9777aec7f1b893ced61dcb126e20545c367f124e

SHA256
d0d2fb8a2b7dc71a6c4736a00688c0df6b7d1a54e0a73497301ad84949a25bc1

SHA512
54abf4f0d97d4973fbdd5af6f08d1eaeaf8d587eb049e799e50f735b8e54400488a28c35f7b1ecd4a408181cfe627b70e172d0107771a8eaa20fc55ebc026191

Download Submit
C:\Windows\SysWOW64\Cgmhcaac.exe

Filesize
93KB

MD5
fe99060059b2376c31255bbd7a49ba1c

SHA1
32e8ded2f450412e75246d157635affd8240656e

SHA256
8838b8e47036a696b4cb80eb0b641b19000cb26892bcaca4fbff936c08229f75

SHA512
8fb74165a0471e7ee88a6b30202c9c25267915bc66494b9d9dc1c5ba4af82399b39fb3bf30e473c4d3c6285966be3180ba104943ec383a02c0854d6bee7b04d8

Download Submit
C:\Windows\SysWOW64\Ciihjmcj.exe

Filesize
93KB

MD5
1afecc032e33d227fdd2ddc44aae34ef

SHA1
ca11521e2cf71317a6e434c799a3a6a363f425e0

SHA256
c213d142383c2622000b658fe4fdf0d2d64d6fe6aac1f7a2b224aa0aec7f51d4

SHA512
26d3607581e5583a89098ecaf99054bef684398c54963245ef798c3fb246057983ff65e60fa341a945dd10150555af157ddd118efcc0beac90a44ea81f136320

Download Submit
C:\Windows\SysWOW64\Ckggnp32.exe

Filesize
93KB

MD5
f3fba58beb66a9bbdd5b5588c05a4f41

SHA1
d073b83a75fd6c5de92a7bf253073ebe7a7b99a6

SHA256
96d4d766ae16d9de682a6b572fd0e0c2b64fe0cf7b1b7bbe126b7606956d0e5a

SHA512
06b875128f79397094970a086d48f34bda769d01941f2d0761262d15b752df38e99cfd47a7688301d4390614f8966d89406d675b01eb432883bd13f7cbfecf77

Download Submit
C:\Windows\SysWOW64\Cmbgdl32.exe

Filesize
93KB

MD5
caf58751350f52e3b0e7a0bf7b5f1c28

SHA1
e781876e57a355172277d0779892e7f70c6443e6

SHA256
030ddac49221942ec6b6a40871552d1955639bc4d74c5625cd22b2f23bee8cf6

SHA512
ad2983a8e678507070ed0299f2f0659fa141cab83304df08c9772a42b08be3d7f0d3afe63e94f2a5c62ea49ae1aa21db964313871f26ffca0d4b9f87126a48e9

Download Submit
C:\Windows\SysWOW64\Cpfmlghd.exe

Filesize
93KB

MD5
69de8a2ad1d05fca8dbee47e278083b7

SHA1
4cafe4f28434fb05433deccf57c0eee56fa3705a

SHA256
c7a53ceb552722aef427f63a81f517ebc8ded55e00cbc7fbbd9284b5822f0172

SHA512
2a893e27ec38ae4581a279ac74be768fbe8b114f636b92a6af1b3d4c3563934df3aef534694fe9de6f9411f9f9b4f91d15869783205adf72fbbf84a9ee9774d3

Download Submit
C:\Windows\SysWOW64\Dcffnbee.exe

Filesize
93KB

MD5
648630b7a4e663855c77de4628514d2a

SHA1
d11f4cd93fc1a86a7a93e78a54ab476826020058

SHA256
1f8b29879ba3c0c67601a1bc1c51c5d7a8d5dfa7017ef0773c2f27dbfdd87f7c

SHA512
807aa8385b5e1b80d951afecfde14e043b735e5e390e5a0164df2529053f50512191b722dcf2dd6f0bd697c7cfe692c1bb04e573d08ce57290a78b12588f6beb

Download Submit
C:\Windows\SysWOW64\Dgbanq32.exe

Filesize
93KB

MD5
d3a94de6ec440d52b8926b7bac685458

SHA1
57370d9137099ff5d0ca15c4766ee45fae6658a6

SHA256
68e2a87b2768a4c51f1029599daa3bbec4cc1ce69c5fcba70cc9b3532f605653

SHA512
43e72036e288c83ed42e62ff85d6ca992a06bcd440375eb5f09bc993b5b31e927cff9ad08670f2f912ead0295ec77e9051381026ca5ccba0ceb6c4b575b2f733

Download Submit
C:\Windows\SysWOW64\Dinael32.exe

Filesize
93KB

MD5
77cf166dbcfc14fec0ad0afc0e4c8aae

SHA1
021dcb4a69624eac61913e04d1893b64f95c12d1

SHA256
d595588c6106ac9ecc94e41c67f5ce14bc93f3c283ef4bc41b402deb2d9e1b84

SHA512
8ba56de826661da1b0f12fa2345bd152db141419aa8483dcec30fe1ea57f1556978aa68bd4a686a2978498e89c431465e1f0a6d6548e92831ab4d7b11f55e908

Download Submit
C:\Windows\SysWOW64\Diqnjl32.exe

Filesize
93KB

MD5
7c05f85ebbe6f05a39ec1e5a009448a7

SHA1
9baf825d0961d7a218b539283e79889e060214cd

SHA256
a463c7be50fd364a3b09120b6fdac3dda033d0a027137536ab55d922c8450b2b

SHA512
11d48f453b8458498881a1ab375b0432c5a8107b6e744442f17ce686e260f456b5de72f79b8430e22a7312252d8708bf1674b9ca2b0773e073b6cdbf9a9495a5

Download Submit
C:\Windows\SysWOW64\Dknnoofg.exe

Filesize
93KB

MD5
dabdaef5fbe4f0bd109f75d98120eb8f

SHA1
f7cb3a67d341458585b54a6c438c416578333622

SHA256
3a1698c5bc5fef820f8367648565a420c41f84a0f20d85cb4bc3ee41070adffd

SHA512
8ed9114ef6f93220f1231a0efca1641780371cd3d38971c1383458941433aaf5310f541ee07b9d0356c23bff3a9404d8e4c4139bd4415a65341f4af31897241f

Download Submit
C:\Windows\SysWOW64\Dphiaffa.exe

Filesize
93KB

MD5
ef83a1968b3149a88469e55efb685433

SHA1
6f4a3ff1b14bbd873aba94f31138c7c094e03922

SHA256
03a4d649cc9fd698a2f520eac4ce5a494afd38551c0b1f7dc269a6c0aa4fce20

SHA512
0f4f51e62a1e2f842bb076e2d10412bdeb2d6fffa0377b31057a47d1fc78b9abab6b00246356a1ce8a1fa806821325b644f873f006d8e021c4fdc8ea57efe40d

Download Submit
C:\Windows\SysWOW64\Elekoe32.dll

Filesize
7KB

MD5
b39fa6bae29b0c3c72a70ed900c8678f

SHA1
76bb5816f7daa89df5572b670088b94e2319c500

SHA256
1c46b95e2a5f5232f8988c3cb907ee43665da745aa4286ac2d64b2a0578dfb40

SHA512
aeb24ec9f7c7df5940fe3245178fc94f13f5c49a878bb3a102d0e1a57b05430e949dcb4d293945226a8c3bafdb68f1f5622967abb6770d34b7cb9a4fc2f67fcd

Download Submit
memory/216-116-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-210-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/536-7-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/828-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1460-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-226-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1624-180-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1652-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1672-107-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1920-142-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-219-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2044-125-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2240-175-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2288-161-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2328-39-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2896-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3244-193-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3648-228-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3648-153-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-192-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3872-98-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3924-220-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-202-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-224-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4244-135-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4472-225-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-115-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4564-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4696-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-97-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4780-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-227-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-162-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-179-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4820-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-134-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4956-47-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5044-211-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads