f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe
Size

448KB
MD5

ea43d7ea16459cf06b1b470cef3b7399
SHA1

949751d2b540d367ec8271cc78ec38dd726ae1a7
SHA256

f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e
SHA512

a1a24aaeb5eedeb9ab72ed4a8cf41be046ac8d13c822b5f15b5e17f8cccecbf0b02a5d9c790fa7a055057f2db08dcf8778aafd86bd718c3677a30a59422f42e9
SSDEEP

6144:aMVD01fbBTiGUgo35e/yCthvUCQO+zrWnAdqjeOpKfduBX:a3Wrgu5YyCtCC/+zrWAI5KFu

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe

Executes dropped EXE 64 IoCs

pid	Process
1512	Anogiicl.exe
2420	Aclpap32.exe
3612	Aeklkchg.exe
4276	Agjhgngj.exe
3564	Aglemn32.exe
1320	Aadifclh.exe
1912	Bfabnjjp.exe
3768	Bebblb32.exe
3500	Baicac32.exe
2148	Bchomn32.exe
552	Bjagjhnc.exe
2708	Bcjlcn32.exe
2368	Bfhhoi32.exe
1700	Bnpppgdj.exe
1056	Banllbdn.exe
4068	Beihma32.exe
640	Bhhdil32.exe
3600	Bfkedibe.exe
4248	Bnbmefbg.exe
3996	Bapiabak.exe
3804	Bcoenmao.exe
1292	Chjaol32.exe
3616	Cjinkg32.exe
4880	Cndikf32.exe
1704	Cabfga32.exe
456	Cdabcm32.exe
1584	Chmndlge.exe
1772	Cjkjpgfi.exe
3828	Cnffqf32.exe
5008	Caebma32.exe
3664	Ceqnmpfo.exe
5044	Cdcoim32.exe
3860	Cfbkeh32.exe
2468	Cjmgfgdf.exe
5048	Cmlcbbcj.exe
1828	Cagobalc.exe
4420	Cdfkolkf.exe
5116	Chagok32.exe
3964	Cjpckf32.exe
3760	Cnkplejl.exe
4448	Cmnpgb32.exe
384	Ceehho32.exe
4208	Cdhhdlid.exe
4616	Cffdpghg.exe
3196	Cjbpaf32.exe
1580	Calhnpgn.exe
1516	Ddjejl32.exe
2872	Dfiafg32.exe
2936	Dopigd32.exe
4260	Dmcibama.exe
788	Dejacond.exe
4712	Ddmaok32.exe
2336	Dfknkg32.exe
468	Dobfld32.exe
4460	Daqbip32.exe
3456	Delnin32.exe
4532	Dhkjej32.exe
2932	Dfnjafap.exe
4808	Dodbbdbb.exe
5004	Dmgbnq32.exe
1444	Deokon32.exe
4572	Ddakjkqi.exe
2748	Dfpgffpm.exe
316	Dogogcpo.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Aglemn32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ghekgcil.dll	f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Ddjejl32.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Anogiicl.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Lbabpnmn.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bcjlcn32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aeklkchg.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Chmndlge.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Beihma32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cnffqf32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4528	3672	WerFault.exe	151

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlgene32.dll"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmcibama.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbodfcj.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1512	4444	f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe	82
PID 4444 wrote to memory of 1512	4444	f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe	82
PID 4444 wrote to memory of 1512	4444	f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe	82
PID 1512 wrote to memory of 2420	1512	Anogiicl.exe	83
PID 1512 wrote to memory of 2420	1512	Anogiicl.exe	83
PID 1512 wrote to memory of 2420	1512	Anogiicl.exe	83
PID 2420 wrote to memory of 3612	2420	Aclpap32.exe	84
PID 2420 wrote to memory of 3612	2420	Aclpap32.exe	84
PID 2420 wrote to memory of 3612	2420	Aclpap32.exe	84
PID 3612 wrote to memory of 4276	3612	Aeklkchg.exe	85
PID 3612 wrote to memory of 4276	3612	Aeklkchg.exe	85
PID 3612 wrote to memory of 4276	3612	Aeklkchg.exe	85
PID 4276 wrote to memory of 3564	4276	Agjhgngj.exe	86
PID 4276 wrote to memory of 3564	4276	Agjhgngj.exe	86
PID 4276 wrote to memory of 3564	4276	Agjhgngj.exe	86
PID 3564 wrote to memory of 1320	3564	Aglemn32.exe	87
PID 3564 wrote to memory of 1320	3564	Aglemn32.exe	87
PID 3564 wrote to memory of 1320	3564	Aglemn32.exe	87
PID 1320 wrote to memory of 1912	1320	Aadifclh.exe	88
PID 1320 wrote to memory of 1912	1320	Aadifclh.exe	88
PID 1320 wrote to memory of 1912	1320	Aadifclh.exe	88
PID 1912 wrote to memory of 3768	1912	Bfabnjjp.exe	89
PID 1912 wrote to memory of 3768	1912	Bfabnjjp.exe	89
PID 1912 wrote to memory of 3768	1912	Bfabnjjp.exe	89
PID 3768 wrote to memory of 3500	3768	Bebblb32.exe	90
PID 3768 wrote to memory of 3500	3768	Bebblb32.exe	90
PID 3768 wrote to memory of 3500	3768	Bebblb32.exe	90
PID 3500 wrote to memory of 2148	3500	Baicac32.exe	91
PID 3500 wrote to memory of 2148	3500	Baicac32.exe	91
PID 3500 wrote to memory of 2148	3500	Baicac32.exe	91
PID 2148 wrote to memory of 552	2148	Bchomn32.exe	92
PID 2148 wrote to memory of 552	2148	Bchomn32.exe	92
PID 2148 wrote to memory of 552	2148	Bchomn32.exe	92
PID 552 wrote to memory of 2708	552	Bjagjhnc.exe	93
PID 552 wrote to memory of 2708	552	Bjagjhnc.exe	93
PID 552 wrote to memory of 2708	552	Bjagjhnc.exe	93
PID 2708 wrote to memory of 2368	2708	Bcjlcn32.exe	94
PID 2708 wrote to memory of 2368	2708	Bcjlcn32.exe	94
PID 2708 wrote to memory of 2368	2708	Bcjlcn32.exe	94
PID 2368 wrote to memory of 1700	2368	Bfhhoi32.exe	95
PID 2368 wrote to memory of 1700	2368	Bfhhoi32.exe	95
PID 2368 wrote to memory of 1700	2368	Bfhhoi32.exe	95
PID 1700 wrote to memory of 1056	1700	Bnpppgdj.exe	96
PID 1700 wrote to memory of 1056	1700	Bnpppgdj.exe	96
PID 1700 wrote to memory of 1056	1700	Bnpppgdj.exe	96
PID 1056 wrote to memory of 4068	1056	Banllbdn.exe	97
PID 1056 wrote to memory of 4068	1056	Banllbdn.exe	97
PID 1056 wrote to memory of 4068	1056	Banllbdn.exe	97
PID 4068 wrote to memory of 640	4068	Beihma32.exe	98
PID 4068 wrote to memory of 640	4068	Beihma32.exe	98
PID 4068 wrote to memory of 640	4068	Beihma32.exe	98
PID 640 wrote to memory of 3600	640	Bhhdil32.exe	99
PID 640 wrote to memory of 3600	640	Bhhdil32.exe	99
PID 640 wrote to memory of 3600	640	Bhhdil32.exe	99
PID 3600 wrote to memory of 4248	3600	Bfkedibe.exe	100
PID 3600 wrote to memory of 4248	3600	Bfkedibe.exe	100
PID 3600 wrote to memory of 4248	3600	Bfkedibe.exe	100
PID 4248 wrote to memory of 3996	4248	Bnbmefbg.exe	101
PID 4248 wrote to memory of 3996	4248	Bnbmefbg.exe	101
PID 4248 wrote to memory of 3996	4248	Bnbmefbg.exe	101
PID 3996 wrote to memory of 3804	3996	Bapiabak.exe	102
PID 3996 wrote to memory of 3804	3996	Bapiabak.exe	102
PID 3996 wrote to memory of 3804	3996	Bapiabak.exe	102
PID 3804 wrote to memory of 1292	3804	Bcoenmao.exe	103

C:\Users\Admin\AppData\Local\Temp\f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe
"C:\Users\Admin\AppData\Local\Temp\f98f4a0e9e1b79c79993350d192f29eb2f89e57298878dc3d35975d29db8281e.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\SysWOW64\Anogiicl.exe
  C:\Windows\system32\Anogiicl.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Windows\SysWOW64\Aclpap32.exe
    C:\Windows\system32\Aclpap32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\SysWOW64\Aeklkchg.exe
      C:\Windows\system32\Aeklkchg.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3612
    - - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:640
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1704
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3828
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5044
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5116
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3760
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3196
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2872
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5004
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1444
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4572
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:316
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        68⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        70⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3672 -s 408
        72⤵
        Program crash
        
        PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3672 -ip 3672
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
448KB

MD5
e1f76664bdc3ac48353b505b646c34f6

SHA1
e3d1223d286b38e64379d6baf8df3bb08d596d8f

SHA256
594e098e5a19225ef7a1fd0a1d0761f30222552fc3b18c7dced9c7ed7b11ff20

SHA512
f27769c8e14ed03dedc03200103dcb8098a36d1bfbb411694cc97763a0a7daaa5df37cae939aa678ea86e9b64635c23d283b26798162d0144f7bba91f20b7121

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
448KB

MD5
8b16788accca69a87d5ff70457bbf301

SHA1
a7346be1f6c8716a812d6483ab214fcef13030bb

SHA256
8c854fad5a3af6ad526430de7b6a85004d0461ae084ab52a33c8d68a2e464dcf

SHA512
0a3137cc7266e026301d6a2b341339f4b7d6a8d5f1d443081c3eafed62daccaaa13c9c506f39848f2bda93484e05506b0625d267377a1850e05e765faf8cad33

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
448KB

MD5
8b323e0840b0d81c7ba251824ef72704

SHA1
df3aa9a29632b7275ec355fe4028297cc1458c3c

SHA256
b11f53d5f5be26ca3fe256e1da94bced569cfb0d6db774caa6fef7c166d0cab9

SHA512
a4de6edc1b1bab2cf304fc56af364e9d7f26a4cae5d90e17bfd7bac3b3651163ab19856998cee8316067986ddf66bf411a080117c5d82d4947680d2c7fa67870

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
448KB

MD5
ff1819041c04e677a28a914544b5b526

SHA1
d72e133c52c6665a9a3d81da6be9017aa15f4283

SHA256
a9130b10ce784f46e9d8640381d25401337eb6edd1773d567041891a0e5888be

SHA512
94394119989399cc8ce2c8252f74123467637db0fba4a9cbddbdc57e825fdb92617b3c3ae829afe44fc4755741384c62f17afbc99c2c00167fee86e9e1b4798d

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
448KB

MD5
b5152118fee9e09202c98d854708ebfa

SHA1
ae64207126ab783ec5a113659dfdd926b591ba3f

SHA256
4db66625a796c679db237bf349b51064188016f35c2244854fae6d9117484df1

SHA512
330a24a56c68cd140048b599ed2421caeb1253af0169c3d52572d5eb95508d0f583f296f9e4761d25c9595508af3a2caf39a6b98669292ee1fb8ce4661950897

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
448KB

MD5
324eb3aaa2b19099757d0f3d112f9cdc

SHA1
4ac80596c779c6cfec3bd09072e8db8ae33b33c4

SHA256
64a873d3cd84b350694466a47334be479c253b48b9cf35141946d573f9518dd9

SHA512
b57fb46164de5357f59682797094de6ff58bff8f2d0fc809c22a2aeb21b0547f49f0c088edaf59076e30457bdcf7c1e2a261daf4ac7f49ce6e5f6eabb30e5d52

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
448KB

MD5
b236c75d38b4468b07c93111ce2e2e74

SHA1
fb3a1ef1ab7c0bd289f522135f981056021b9df5

SHA256
5463b2183879c663a7b805d8f58230c2e22464fc35c9b11178cae89493ef43f2

SHA512
38ddf9fdba370dd2e0c328b215590f97427bc24ae6fe225670570cd261d6bbbdebc9065de2526ca11a2a4a50bf02f5afc7a29b62f7e6b13b81d4b21a261acf3a

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
448KB

MD5
c34653f18ecbd4c5867d6b00a98f6c27

SHA1
22aefa5b99c50ab9801018b9b9874d20c8ba74f4

SHA256
40190e509807418194a631a2a79c5fc56af62fd35ea3f90fe1de66f99e70a299

SHA512
5e0049e00ae286c48cf0702a9750bd77951466b06d14d3ee3464b31a8ff565deee166eb618d33641568c7e05cefe59394cc43c81a7d191f180d00c3a5d7bff2b

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
448KB

MD5
9aed42ba0b18dbdded42ef742c843739

SHA1
017c76045d1022c48e19a2a5937878c397061894

SHA256
85990cde15bca0a3d87afa1844bc7e5b2f78d3d479bb6bf0aeef01e88ef44905

SHA512
d3bd006746d658c53aebc0967667e71b5dfd98532cb9991eecc9ede08688739f9fba8d6a9abdc87a0c9397d9ab1358624c260776e218ecab5de09cdd5f586cb2

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
448KB

MD5
90339532b68c7ae4dfd4466d4d7c48c5

SHA1
bb518bfa6f4738739e2e51f4965e81428d7b6a2c

SHA256
087fce66a7b8239c7faccb296eb6eba0177fced5f78dfcd5322c15c117b78348

SHA512
860b386421ec7fe7305d559f44181f1e065d6d4f4b5d9fb2046b8a5be3b034048c04bb0b47829d52e1d82e63ce008c2d829769f5c62246445d9a3f54dc88054a

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
448KB

MD5
4173a40312e3619c9fbef03cc951f1f0

SHA1
c41ef00a65850a2cf5e15ffc51bf4fcffbab036c

SHA256
e8eb4cb7c5952625bed22bab1f75c6bd219149acc2e81eda5a0feaf56dc89f6d

SHA512
f0710d1fd7ad0ea013db462f6e20f719476446f05c5ae2632c6dd47a9755cc032b4ea8e627be2f40fa870dcafe27d8143f34020f30f640a00c5005eec2ec1c21

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
448KB

MD5
39a0d26456ab7376c31110fd80462412

SHA1
f58a98dad3aabda1bf927911cc3269bb9b16f718

SHA256
e641e3dc336c061033b0c236759713ea83019c8aab612b5f3e303c652366f640

SHA512
d8ce2c82bbd10f2bd9b1c0e11d6f9a17c4aba9c37bee94fadc3cbf86dba342330bf06825a3bcbd96a6474ea715b58ea8269a13a9107e835c80e21d1a432c55a6

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
448KB

MD5
06b8c8d20a9f285cfa9ae747bc22301f

SHA1
6e4a54b3ae531c023525d1d029efc579e5e4e7a3

SHA256
4348c0df7c3d75bcd510594cb03a2a68ed0903499392bb17185ea83ff2cbc582

SHA512
857345241180bc23b71f95c088bd6b61c59c1086a7912e3f9e727a840b073934d4e9a16a2d4ffc788ba899f38933d6bdd243a06610f239501a7102c2dffc17e4

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
448KB

MD5
8b30ae8df1ada446cc2f7b6bccdc80eb

SHA1
0437e54df4726ea07a43712baea284ee1724daba

SHA256
102a25ef11ead1c5d593f57f575b27e34974c55ce32c674b41655340311c275a

SHA512
b18c039b58c679671b3eb0eb005ac3ced8cfd778f1f95c89ad4db66266fa3ed0e9df2d4370ec4ed41949d7b8b17c53c94fa54b8b79eecb9d7201bf1c5f78e43e

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
448KB

MD5
79c42896278a07e88af51e8426451fa6

SHA1
d20486e8705d40d6592b6a42faf179479585e3ed

SHA256
369392ee4cebc1b1401e5052d8c86732b65b00e2f8b50a99e706fa37a20cd38d

SHA512
268b7daa34fb7044b38b26530afcd6f6bd8b91efba1f6935e8a50c81019315b67aad920ff5188c0957848596e183672afa18135417fcb6ed8ab915a46e578ca6

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
448KB

MD5
8e132dddc081264cd858c1cefaebbf17

SHA1
b632f941b3f95c038f1b46ea084bdc1684db848f

SHA256
da4e9d05928e3b74433c26aa7119b4df1d47bb02349647fda6587f7492fd7061

SHA512
12b4fbe8c9d3b7ad50b58398324c2fbf37e5ec23c74410d6057b71f8c80d8412c13e1331109eb2c56561e84a0856e7afaab2a7aa2aa6465872f15a9d19aa6448

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
448KB

MD5
17988f05aa652db76fb179fb10f735a0

SHA1
3873a1ff004d5b5213f906153457c7476e9ba30c

SHA256
af297cf60efc1d8252d8cf20cf462eb538c095440fe5a4694a3ab82806a3d804

SHA512
943d00acaee8e8ac5be9a64e499a890d72a5cb0c86ab72481a89d942fb01810affc6228937be488f9a7ef159fa357aac6842da0b0c45517f7df8c65946a34008

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
448KB

MD5
3035e42ad8fd856e34e488f8353fa0bb

SHA1
61e797902a22892e67ddf2c7eda9a2782316697d

SHA256
776cca51c8c5b61d17cc791abac034c19d11fdac7f7733f86f4b46b696e62078

SHA512
863bebf9a6f32ba8fde17934b2a0b878bcf321320447122a9b67da942ce9b199f6cda1096966e745214c4e3c080263a3f4a7395112355118a3e7a3f922a38860

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
448KB

MD5
b2b20578ef36a00737b755ecb408968a

SHA1
db76201907ea8836ef1a8d12dda5440b2c294355

SHA256
a481b0786d577cd05381cc8353e2c44675a835daa7dfa504db9eb74f0c23fdd1

SHA512
d5ab61d9c325661bb9d3e6a0f6183e039a0ce1bde8255103427691388cc0be7f0f727c1f4237949bb5796b0644b68cd98ca7117ab29ffa9245ec8df862cca6a7

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
448KB

MD5
d4ddd9fe40160d4253b03b87c874868e

SHA1
058f2fcda8c11e12ec710b9784302695cf07996d

SHA256
de4dd4563571f1ed4bb161fc8166cbbc9574996d94b4724393c570ee343c6bd3

SHA512
c1f2c90aa6b1f5d9a2436820b07a2fff6d6f4f457445a0d7738bcf32eacd0cd7ddab9a6780a8a55e914a07fc951673b038a90875bccb1e628dcef294b4acd1f2

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
448KB

MD5
6f8ed783a214ed92390c91ac68e5f2a3

SHA1
12a9087ae7656373744bdb7ce61a718f519985d7

SHA256
b66c689f0df75d623ed0884447d2c6f8c9b803954d4a019189e5798ec3bdd6a4

SHA512
9f85a488d9a26e2cf4b844cf77802b187f48f96c362fc9a4ef5ba149a1196fa24d3063a52cfaa94484a72ea74d2a4c5dc88acced46feabf2c889da4e30fa33c4

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
448KB

MD5
eb73a41d3a59e93b3a1d4489f72992a9

SHA1
280e9928a203e8e4d89ba5984be9216b91408c9d

SHA256
0acd411ea89a95d5ff28cb899cf66232f77f6679ab72f6ea40c86d3fec1e108d

SHA512
0c08f3029ccf68661765b2edc572f63d3bfe9d1f27b3dbc185f58a0c56b360f0798a4690f3e10ea95e371e67f51420465196e3c9daac4a9488b17b74e18fbc82

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
448KB

MD5
5231356ea5eb3b794aabc3fc73ddc1a8

SHA1
86ebf5112903100b45092c07606a6325933ec0b9

SHA256
d74043174b38c9b6abd33740ab9cbde30f5d71962d94d908aaad60b168653ae2

SHA512
d9210a71ca00be476313db5bb5bdf40926a9f7efef00c02e95e0227a4d7e46df45bc0ba1b36b002b4bd842f48b54efc8fc40bf936239b806acceda7f22d1dbbe

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
448KB

MD5
7211008300ac37f66651ece8630fc009

SHA1
002a2efa9fd667b5b3fd1b95cfd567c48fde8df4

SHA256
1424d6715b1c00677bd5433039772e705fa69a2dd91892a05ba2de1f26569a7d

SHA512
6445555e748e4fe0915f2737a0e7a5c164db2faa8969979963be1ee9a192590feb847596efcac19109ac82c5dc0f2df94ca2e09caa2423705629f6cda9ba2fc3

Download Submit
C:\Windows\SysWOW64\Cdcoim32.exe

Filesize
448KB

MD5
42ad7637c90c7daf1053448cbf48bdc2

SHA1
c7a3dbe82eea4a86b4bdfb9e43040e0b13ce7c03

SHA256
f811f52692a4344ecaf355e6daa1d8eae6b8aa5931e335ab1dcdf2bace8aabea

SHA512
5c1c66104390d0c96269428e9a8ea11481d0458d7dc4567696c42b926ec6aebb9749d1491caf250baca0363b47340f46c338eeb241eb078fb9c0f2c80c2ba78b

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
448KB

MD5
9a615524eee7ff22a0ec74bdb68d7e08

SHA1
d19b3e69cbe0be0c05ae7551a8362a29a08fc4f2

SHA256
4817a68862bffa907403b5428a316c0f652d3347169e7be15e8ed22947ad8f5e

SHA512
0a14a14b86e1a6d8961218b649b65fca20557f91bde568f29b411e1f6edb1443689767b376f8d16e7b4e4a6e8f17e0d2a4da95fe808d785e21583ddc07a38bc4

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
448KB

MD5
c062fd94dbf1d4282de4d539628c07a0

SHA1
47c130f12a651203ce6d6585004b773901287ae4

SHA256
edacc4e986c1eb125c425fa20b4aec863dde78016bf0272f798faf37debf681d

SHA512
af679b1a8eb72c2abd5951aeb6f7d8f66aa8dbd82804abc3bce5c568801d9f72c7a5ece3ae3629183441d683983906e8a079913ec17e22a7ceeedb2aeca660cb

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
448KB

MD5
35124ab54264f25361a531af3a733f65

SHA1
15a2bf0999bef515f24743acf90c7d20aeeddaed

SHA256
4f56c856628ca34b958b93eb47acbf567dce0376d7886b1da125b4274ba2fec6

SHA512
899782d19fedaa7ff642653d2d3bc7c08aca3e0ddb429505bbbd7488d235499c7bf368a1b1e2bd583d3eab0894da062511c95d24394d5de5c2615be1d2632b1d

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
448KB

MD5
3c52ef7257c1acfba36d5e1773463259

SHA1
2bff4497da30871d1203fdec9e327d0cee8c7e64

SHA256
f88ee4cf3f891dc3042d0d5952b376b93d7983dc2ce12b4d6609547dfd92bc8c

SHA512
52b225ed5777ceb1006e1ea2bd258eb2dbb1fbc03f0b0d6f453f04b88d3bf0a8813991bdc3a7bdb728f462b02fc0e5f010c41dc729a70875f617a442e3d84f34

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
448KB

MD5
1d7e042b17d1137a1ab7a3fa1e24c1bb

SHA1
fefa128f4f14a73804bd0e120c16effa4a643489

SHA256
d02461f7e42caf748ceea56cc768ca2d2d35c5a18dc6a49cebc0b1f099cbaafa

SHA512
34f000725612eb7386f55e17291da78701085938c4165fd302d7b6974e81af0a996cebe46655354ac348b302d789fe3c358e29a59e81191db4901cf6786e24aa

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
448KB

MD5
728717971f93d7f9ee190b67aee7b67d

SHA1
ec61e23879817756337bce86b89d6a86d567bd61

SHA256
6afa62250113be0cb7cf11bda28faa69c72cece495e7967a74887b1ece62a824

SHA512
c51776bae96dce2dde78a6fe9a76d46c67775321ac542c3b88920c2d28911288f2dae34e0560fbf89ee26200927f47758d892dcde1c45a529fad2f86bd7109c2

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
448KB

MD5
9509f5ec7747851623ae0c78dde73ef4

SHA1
c5397afe40ef127ac039555796b2af42fa02561c

SHA256
3f65550ef0b1fcd17164413bc0e0cd8005fca59b02fd796b5b5d68fe99dd6c32

SHA512
c823d6f3b1593a8ef47445310b58ed1aa1e15574bf9d987b714dd75cbcd396fae377c9208d6038cc7389b320d843b8dd90e4f00f524fc8089acbe55805448a67

Download Submit
C:\Windows\SysWOW64\Mnjgghdi.dll

Filesize
7KB

MD5
cbbc43ac31026e1f9051df35aada68fb

SHA1
4009587f5490a204ba17ee45251732b2282cf86a

SHA256
1816cd10a71cd2843541789deb0e8c9a17df02ea2eefb141787ac78b4a5ccf09

SHA512
b35ed53279b590199cec50cc07ce12924480c5b8850ff84104e80632e1acc2b0ef8ed0d4d345e6732319ebdde8dc45ffa4b6aa907d1d8e622cfa94f03a81bf5c

Download Submit
memory/316-481-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/384-459-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/456-443-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/468-471-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/552-491-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/552-93-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/640-434-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/788-468-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1056-432-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1292-439-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1320-47-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1320-494-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1444-478-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-7-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1512-89-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1516-464-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1580-463-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1584-444-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1700-489-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1704-442-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1716-485-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1772-445-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1828-453-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-492-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1912-56-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1948-483-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2148-85-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2336-470-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2368-431-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-98-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2420-16-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2468-451-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2588-486-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-490-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2708-99-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2748-480-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2872-465-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2932-475-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-466-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3056-484-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3196-462-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3456-473-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3500-77-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-39-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3564-495-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3600-435-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-112-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3612-24-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3616-440-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3664-448-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3672-487-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3760-457-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3768-63-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3768-493-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3804-438-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3828-446-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3860-450-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3964-456-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3996-437-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4068-433-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4208-460-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4248-436-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-467-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4276-488-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4276-31-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4420-454-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-84-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4444-0-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4448-458-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4460-472-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4532-474-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4572-479-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4616-461-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4712-469-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4808-476-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4828-482-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4880-441-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5004-477-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5008-447-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5044-449-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5048-452-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/5116-455-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads