231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9d

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 03:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
Size

56KB
MD5

1bc4d6573f42ce73c78a0457ebf9b7c0
SHA1

f2b8799abf69e05e26d2554e0f2a4857fcb6cbd2
SHA256

231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9d
SHA512

87e06a8d5c4b993672417b67164086ffadfc16f902831f2f25fccf2e234fde5564d1455705284c25f5d29b003e960b65f3b22b945c773ab40397d1e15b4dd6e8
SSDEEP

768:+TaFm9NIAegdNhNFjyvEAUFBSLaqbP7XaNJlR4j9XdmzRy/1H5TufXdnh:+CqIIdNhfjR5BSL/z7q5R4j/mzRwA

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgbpc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cagobalc.exe

Executes dropped EXE 59 IoCs

pid	Process
2244	Qgqeappe.exe
3408	Qjoankoi.exe
3504	Qqijje32.exe
3932	Qddfkd32.exe
452	Qffbbldm.exe
4068	Anmjcieo.exe
2672	Adgbpc32.exe
1048	Acjclpcf.exe
4788	Ajckij32.exe
2848	Aqncedbp.exe
3480	Aclpap32.exe
4212	Agglboim.exe
3916	Anadoi32.exe
2424	Aeklkchg.exe
1760	Agjhgngj.exe
4740	Andqdh32.exe
2332	Acqimo32.exe
1560	Anfmjhmd.exe
3696	Aadifclh.exe
4844	Bjmnoi32.exe
2652	Bagflcje.exe
4356	Bcebhoii.exe
3876	Bjokdipf.exe
2836	Baicac32.exe
1232	Beeoaapl.exe
2176	Bgcknmop.exe
4232	Bnmcjg32.exe
2484	Bmpcfdmg.exe
3112	Bgehcmmm.exe
3992	Bfhhoi32.exe
972	Bmbplc32.exe
4308	Banllbdn.exe
1636	Bhhdil32.exe
3380	Bhhdil32.exe
5100	Bfkedibe.exe
3516	Bnbmefbg.exe
4228	Bmemac32.exe
4856	Chjaol32.exe
4680	Cabfga32.exe
3708	Chmndlge.exe
3208	Caebma32.exe
440	Cagobalc.exe
3180	Cmnpgb32.exe
4240	Cdhhdlid.exe
4956	Cffdpghg.exe
1300	Dhfajjoj.exe
4592	Dopigd32.exe
5048	Dejacond.exe
3088	Dfknkg32.exe
4732	Dmefhako.exe
1948	Ddonekbl.exe
1684	Dkifae32.exe
3192	Dmgbnq32.exe
4092	Ddakjkqi.exe
4600	Dkkcge32.exe
4496	Dddhpjof.exe
3076	Dgbdlf32.exe
404	Doilmc32.exe
3644	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aeklkchg.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Dejacond.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	Qgqeappe.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qqijje32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Qciaajej.dll	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Qihfjd32.dll	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Bqbodd32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Bmemac32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Doilmc32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bmemac32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Adgbpc32.exe	Anmjcieo.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4272	3644	WerFault.exe	140

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgqeappe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgqeappe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmdoo32.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agglboim.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkmlea32.dll"	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmemac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baacma32.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qgqeappe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeklkchg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 2244	5096	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe	82
PID 5096 wrote to memory of 2244	5096	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe	82
PID 5096 wrote to memory of 2244	5096	231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe	82
PID 2244 wrote to memory of 3408	2244	Qgqeappe.exe	83
PID 2244 wrote to memory of 3408	2244	Qgqeappe.exe	83
PID 2244 wrote to memory of 3408	2244	Qgqeappe.exe	83
PID 3408 wrote to memory of 3504	3408	Qjoankoi.exe	84
PID 3408 wrote to memory of 3504	3408	Qjoankoi.exe	84
PID 3408 wrote to memory of 3504	3408	Qjoankoi.exe	84
PID 3504 wrote to memory of 3932	3504	Qqijje32.exe	85
PID 3504 wrote to memory of 3932	3504	Qqijje32.exe	85
PID 3504 wrote to memory of 3932	3504	Qqijje32.exe	85
PID 3932 wrote to memory of 452	3932	Qddfkd32.exe	86
PID 3932 wrote to memory of 452	3932	Qddfkd32.exe	86
PID 3932 wrote to memory of 452	3932	Qddfkd32.exe	86
PID 452 wrote to memory of 4068	452	Qffbbldm.exe	87
PID 452 wrote to memory of 4068	452	Qffbbldm.exe	87
PID 452 wrote to memory of 4068	452	Qffbbldm.exe	87
PID 4068 wrote to memory of 2672	4068	Anmjcieo.exe	88
PID 4068 wrote to memory of 2672	4068	Anmjcieo.exe	88
PID 4068 wrote to memory of 2672	4068	Anmjcieo.exe	88
PID 2672 wrote to memory of 1048	2672	Adgbpc32.exe	89
PID 2672 wrote to memory of 1048	2672	Adgbpc32.exe	89
PID 2672 wrote to memory of 1048	2672	Adgbpc32.exe	89
PID 1048 wrote to memory of 4788	1048	Acjclpcf.exe	90
PID 1048 wrote to memory of 4788	1048	Acjclpcf.exe	90
PID 1048 wrote to memory of 4788	1048	Acjclpcf.exe	90
PID 4788 wrote to memory of 2848	4788	Ajckij32.exe	91
PID 4788 wrote to memory of 2848	4788	Ajckij32.exe	91
PID 4788 wrote to memory of 2848	4788	Ajckij32.exe	91
PID 2848 wrote to memory of 3480	2848	Aqncedbp.exe	92
PID 2848 wrote to memory of 3480	2848	Aqncedbp.exe	92
PID 2848 wrote to memory of 3480	2848	Aqncedbp.exe	92
PID 3480 wrote to memory of 4212	3480	Aclpap32.exe	93
PID 3480 wrote to memory of 4212	3480	Aclpap32.exe	93
PID 3480 wrote to memory of 4212	3480	Aclpap32.exe	93
PID 4212 wrote to memory of 3916	4212	Agglboim.exe	94
PID 4212 wrote to memory of 3916	4212	Agglboim.exe	94
PID 4212 wrote to memory of 3916	4212	Agglboim.exe	94
PID 3916 wrote to memory of 2424	3916	Anadoi32.exe	95
PID 3916 wrote to memory of 2424	3916	Anadoi32.exe	95
PID 3916 wrote to memory of 2424	3916	Anadoi32.exe	95
PID 2424 wrote to memory of 1760	2424	Aeklkchg.exe	96
PID 2424 wrote to memory of 1760	2424	Aeklkchg.exe	96
PID 2424 wrote to memory of 1760	2424	Aeklkchg.exe	96
PID 1760 wrote to memory of 4740	1760	Agjhgngj.exe	97
PID 1760 wrote to memory of 4740	1760	Agjhgngj.exe	97
PID 1760 wrote to memory of 4740	1760	Agjhgngj.exe	97
PID 4740 wrote to memory of 2332	4740	Andqdh32.exe	98
PID 4740 wrote to memory of 2332	4740	Andqdh32.exe	98
PID 4740 wrote to memory of 2332	4740	Andqdh32.exe	98
PID 2332 wrote to memory of 1560	2332	Acqimo32.exe	99
PID 2332 wrote to memory of 1560	2332	Acqimo32.exe	99
PID 2332 wrote to memory of 1560	2332	Acqimo32.exe	99
PID 1560 wrote to memory of 3696	1560	Anfmjhmd.exe	100
PID 1560 wrote to memory of 3696	1560	Anfmjhmd.exe	100
PID 1560 wrote to memory of 3696	1560	Anfmjhmd.exe	100
PID 3696 wrote to memory of 4844	3696	Aadifclh.exe	101
PID 3696 wrote to memory of 4844	3696	Aadifclh.exe	101
PID 3696 wrote to memory of 4844	3696	Aadifclh.exe	101
PID 4844 wrote to memory of 2652	4844	Bjmnoi32.exe	102
PID 4844 wrote to memory of 2652	4844	Bjmnoi32.exe	102
PID 4844 wrote to memory of 2652	4844	Bjmnoi32.exe	102
PID 2652 wrote to memory of 4356	2652	Bagflcje.exe	103

C:\Users\Admin\AppData\Local\Temp\231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe
"C:\Users\Admin\AppData\Local\Temp\231a8820ead91bdd4b7802206b3ea615aa00c2765770ef80351bbb99aee0fd9dN.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\SysWOW64\Qgqeappe.exe
  C:\Windows\system32\Qgqeappe.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\Qjoankoi.exe
    C:\Windows\system32\Qjoankoi.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\SysWOW64\Qqijje32.exe
      C:\Windows\system32\Qqijje32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3504
    - - C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3932
      - C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2836
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1232
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4232
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2484
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3112
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3516
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4228
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4856
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:440
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1300
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4592
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3088
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4732
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3076
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3644
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 220
        61⤵
        Program crash
        
        PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3644 -ip 3644
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
56KB

MD5
8aff76ac37ae4bccc9ec8ef42dee1200

SHA1
a95f40cb61745531a140a698b928530338632fa8

SHA256
593d45cfb106fb477defe2e5553fc2fae7dfc1a7c5ab50fc76c9e199f8a91dfe

SHA512
8665148a7b50d4969e2cadc0b4e9a7c171b15ab3588d7c4d73ce4e79884e51b24222569d3ccb03a02fdeed0bd87fccd95d30f09e58d5f80dc9ea22bef02d00d2

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
56KB

MD5
fd4fd048a38de1b44b8627c8b7a3a0e2

SHA1
90ca112655ad9d3c928e314231c4184eff963476

SHA256
cc00e2a36943b596a3a62ae9e9caaaf3f20355a4f6d60fa380a89f30aba38871

SHA512
da1ee95912d4e94789885f38695d7dbf92bd05ddc740eaff423a266d65fc80438180da79e425e5d46014c8524d5e6a9f8d00db21816beab6e186a632a4a06feb

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
56KB

MD5
a028924952fbd854cd373d9a8eabe2d2

SHA1
140c094dba4869c5da1d38e964a5085bbf121bb0

SHA256
decbef2802c3f9d5fe03367c007eb52c1f923e9042957db2f649b58d83b8e9e6

SHA512
319e367865cc89e5effc7ba920f180d31fd84e1e9543089acde894cb255642587d553ad5580b2589f7e5d83a0c9406a90c0df00a2b365b85d761fe9497ce5a36

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
56KB

MD5
457d7f2514a328b86385ea278f80e8be

SHA1
d06ac047e6af084cb9ccaf3832453eeaadb3c4ab

SHA256
1ffbc2f0ac4c2245ed4d2dd455cfae25a6126af0d516ee8ff47e2ad9306f7d8f

SHA512
8a9443b6ad59a397d0098c71872dc74b980811efd098dff30a5b4ca51a4dd43a62d04cc1112432f3d0c7c25a7524a92deda62f56e12f59078704074e284d7ec8

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
56KB

MD5
c4a608b26b7e901e8137bb9ea47289e1

SHA1
f7a17ea22bd27354a4a33751bd2871b55b5e687a

SHA256
caf1479e9f3ff7adb0f8a58d95ef3f08cdb1f5d650922c007660b8316b355bfc

SHA512
15ed1d68d25f4df6bf90337d4b5520e4d9582fe0c601ee4bd2606c4ba2de8411afd0b183f2bd15e13791b95cc75a60f20de3533a147d0ba2d8ae2d5fedfbdb49

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
56KB

MD5
270de6438b08bccf55e4c977282a5042

SHA1
35d5aa197a602c161759399d591b973819d08188

SHA256
6e20d630d73216c7e89435d31ff7a628f8e88d1c34da591674e1521baff59473

SHA512
407173fee39589fa7356da5a1313dbb846e629cfa60c6ee0ead142e0050232fa6525bc28cff65dd83fd9d6b86c1e8fb8d32c3b2e020051783db03ffc5629a9b5

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
56KB

MD5
16cb312611ad1574f15ec46261847e32

SHA1
16624d00aaa8238b8e8055798c913abfb8cc376d

SHA256
0efb17035f3e161289f320b3b28d35833dd8b2c6dba4ed20b736e97e0a9cf788

SHA512
be03785994a81867b0229a7cb6fe941c73b64bc5731171004044f7404a192f395910035ead0130d96f448a5e0742c5575d3fe867c587b11f62403fb82ada4c0c

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
56KB

MD5
6f833e9a004d177da32ecd05e19861ac

SHA1
a30750854f5f0a714c0b9f993dd89f10955ad743

SHA256
9004565efbced078778d33e75f3fee43557bd7762d520f5b5f52a4c796d242b4

SHA512
eca73e9603bb33e66f2e39200f1d7adb9b6e7dd5910c910d99cedcbc4ff0b442613cf4116f615063e8160d389003405d21717e422d88915d668b391b22e40061

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
56KB

MD5
6442d9806c38c99e29535fc0af82e2b8

SHA1
99b8abaf8fa35deea20a90e09788f1f0f6114791

SHA256
4c5d45a22477ec7e96f949a6d210af08213b205e04ce7c0e80367d0a169bb42b

SHA512
9e5ef8c91f71e8783ba6b9814ff948208180c1112b653177cea3d0176d4179087178f4d346803ab595c32ea3e399b49b7309666bf60adce4de15a07b4e25ffa6

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
56KB

MD5
05e33ff464c086b1cc99f8b703f5a31b

SHA1
f3e9461d84ee3df50d619630d1bea3c400955c93

SHA256
a4a2831ef587ac56c534bffe4b4ffe0c475464a37720e1c1430923df7320d080

SHA512
228d99d4e7eb7d7d290ff913eb3fa04a9ae5fb9d372b74a6b75aad7a4832e53e75354975bcfb36d0068589c4ae93bef1f50044cde48490436cbc7f32f5291a59

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
56KB

MD5
85197aec36b72ec59d672705b284cd49

SHA1
0eb2071328b3dcfab582fee71ca0b8ec40284319

SHA256
627f48400aad77730176f548f29487c4d6c68cd43c11947b1cbbba370168f2d1

SHA512
41c160df3ad4ffea2c95164fc04708fa9557c0cdc3a3156840bd9b0e2281c8cd1fffb1e60ff84a515ab1c1aed55125ff9e8bd04f045a4083027c10019346974a

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
56KB

MD5
70235e152737360b3b8862e160e63953

SHA1
66f8c11217cd961ae6c49e9bb543a65109db5015

SHA256
1fde0498515dfccaf96287e25a26562ccffd98456ef64f498a9f8a8479dd8a7e

SHA512
a68dfaab8edacc252983a9f911c15fe934c735b78968bcd9088df33d67df25f3f3a3692f40ac6e535da69d8b6bf73cce2042a033c79fcc9fc833c759debc0f96

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
56KB

MD5
a7d968e7bdd14a103659b5f468cde344

SHA1
5a70d2ce280e2c91236aebfad66ca3e54cd8022d

SHA256
4be42f5891f8f2d3e7129f2031f95d9b7dabb60f2d8822914feec5c739f8f9be

SHA512
e10cd46ba9f2d3df39d986e69ca15ae6676e0b2dd1c6878571efcd67a0c708be7b561e5509d845102cee19aa88504e708cc4b3c1e676fdb46f9b8168d0024540

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
56KB

MD5
df26e116f0dcc7948f30002a4065748c

SHA1
e2f99cfad53110a67c1c2b37103262431f9df5cb

SHA256
f30624d2d8ede269886ec917f86849d6c57cfc4b9d187c7db34a69732d2f5679

SHA512
1ca1c71caee5c66987d6bc6c2db4bf669acf9f885f87d2fb79328db9cd11dc2ed27fafc93aa22ffef82d270cb6056f05b20d24b696710d410ab3ff214e440ea7

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
56KB

MD5
f00804c5a9c9c632d83900bd0dc192bc

SHA1
28f7ca17e9b2583c9ad8372a9dd1310524244f8f

SHA256
1ece451607477a86bd8b8cf52400abfe685b3ce53fd8bb10b32dc44438f6d4fc

SHA512
d43659aafa457783d2d0d4cb5e231f24d3923a81165ef3dd61f08319b9e39b444448be054b2b52c7978eee4c36a33f1ea6eaf9ad0c567bd41ed8e6f72e0a5a29

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
56KB

MD5
31fbd4f3b9e65b500d43f86fa57bb8fb

SHA1
ae7fb4f7a5310c76a5eae44b8de2e2ab9d762bed

SHA256
e0422c3c1b7b0f4156f535cc1ca9c89291ea8ef31b8df1d554576772678d8ef8

SHA512
f662beb64167800ff8fe6d333c84ebe1d20341da91ff687c9bc5d7e774b383900e8d78124cfacc37a5f5480db41491632b877f263bae084bf22c6c6670d2a6c6

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
56KB

MD5
7252698c5df64cc6c5cee8bc557f37ea

SHA1
d267a23ddc034ded99365745ca01db1bb91d946a

SHA256
316f8ac0cd64688d768e3c385fb4efd53177d8f14f006cfe32fc17c6daa4d84c

SHA512
251557fdb595c9716c1bba11af739ec84bd2e468272a6fcd78d47d727f43e35bffe866634273b2d3a2a908235a7dbd6a8683e956f3c41b33782de0762374553b

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
56KB

MD5
b7f1e594e9710b5b46790ee1658c693d

SHA1
7f283a044870af36ef8246cc76c578bbf8e55681

SHA256
b551e52aa32bcfbf482f25f054b4b9cc32456b532ac200b8c97e809dbbc90634

SHA512
6d21988a07060e900a3f1a84d8c4cd6c73dd740c6e0d28409a39cbe3fa27d5576847751cfd476a5caff02e416ddbb87e093584c0c58a159a8fdee9e9732c02a7

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
56KB

MD5
99047fb69d579cb95215589310611d95

SHA1
4284d57914076f505b26e754036f12938af6be0a

SHA256
d685f66eba264643555030b8b2fb9c1f5eb7c31615e00a6bc2f363fbb6d52e18

SHA512
440774d97e8543685a2b5bf95178da9737279aabeb7070dc532a7cc8e855db649fd2c3833cbc75e92a996fefd72f9856a27893bb5e4b62b47e2f1caa938cb4d8

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
56KB

MD5
2703569dc2778ad2185ed034c7c94633

SHA1
a693cd1f14173373882dbd0e396744c5c1224e56

SHA256
7047fba5b63d5fcdb31856ff8ca95289cadd78c520b37008c4ea5dafd31a0bc2

SHA512
a84d535175824367d052bc064e5efbc4769962c8ab7a5bd0f89d254b42b12fc20e1906cf4222a78201160db64b72cef904c344342ce2f9f80ec63fb3c0870d63

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
56KB

MD5
ec4acaf96d5f86bd086cc4aa177e7aee

SHA1
9bc23bd3c9c76799e07d4d7210fa46af075a0432

SHA256
77e82ccb1dc1906ca154a8bbbf74511ea46ddfe6cc1865720afbe88a5c11ce2b

SHA512
a4d67dd737b9e2efaa10cbf32fd73dd8b0fcc34443b9d5f664ceb4475e76b58e283a6668bd260fb520d429bdb9405ed721157a5e03a7c1cc1cdb90b793d3bc2d

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
56KB

MD5
69157b0ed6fc94b9b207e726ff7c40bf

SHA1
43a5c6b85c855cb19ddcf8ce430f910656b87362

SHA256
b1946a7443def7dd8af3df85d33c99c79187108baa3ae9bffbf9cfba25564554

SHA512
c1435e301d4ef334b0b26571bda4c4d9890c2d77f137070a505e8cf004e37db6e335417e635091f3e0404e1fdba49a5b84556a5cc5353668e82c489bf8d16861

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
56KB

MD5
709313094f219433b8125afc37ed273a

SHA1
d49745e230f61f93e026326601a09c33387c3443

SHA256
ca822ae1415e54d67ed2d87b2f0fa4a4962a51a5b55225a7c32436d6680477a7

SHA512
d44771518ee5f03603e7f109eb9ff65d7d1f696a706919e6ad5247aa39643b2ba209266346f542ce09aab7b52f549b5799790d24264eaea632d33662372bbc05

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
56KB

MD5
dc6bc96fb24d14f43e6363c7b11fc057

SHA1
07c288cef1262c4fa252e24020f12c9e56f1f4c4

SHA256
025590d660d88a358687637dbf54baaaa7e0d3d1c26efd000670556c5a937a21

SHA512
2cf0127c061c73e5354d5df855c0b02dfb4af34a9e5598dfcba6b593d04d2883772f4922fc0fb9be8a09a003294f01bf8141627cd102babf78bcdbdb2b93b6aa

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
56KB

MD5
ec96f8e880c5f9027bc2074da645a18d

SHA1
980a44023b55eafafd823e458c6106a57990afb5

SHA256
d45eba6cba48816e80efa2addb4e11da6c89106f1043e2e5ea538885b9b2ead3

SHA512
bb11c29d6258642ea2738ae6c67eb7eab34cfcb9a4cc2fac5bc3db46990ab45496ee524a4a726464b8df68d8455f1d8f8e4f1eb706de4c15f84d30b0d740d752

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
56KB

MD5
8eedca505db92b8191597611a5adea3e

SHA1
c91a9a14960cf9c855440c7f54999330ef88599d

SHA256
7a6d14726e3fc64444da00d75a7316f99adc8ca86be7c72cf258635df735a5ed

SHA512
13b57abd40880d9b221f8897578c52c738af00b1a5d11ca84b97d51e9fe31805cea0a1815c306ae84060f68db11c925d22dc483595f6c1a538113e6981736d02

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
56KB

MD5
6f350b7a6ee230e2f4a0683eb80680d7

SHA1
e157d742f068774ec5b93b4c476ad2bb913c1423

SHA256
29210bfac7ecdc11867688fea13e14101cc087aec26b3a72b3ae29472a14d91a

SHA512
61a4752a214e564698e5ae6465547825e02aa001eaecdf6ce40eeae351b1dabc41b806cd4512ff75458e361855736cc17a7cc153e4d8ed4ca5bb55ea4d9c385e

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
56KB

MD5
4d7e7c5187a7ae8f56d692e4db6bffed

SHA1
7d335fe62511afc52c2f7985e5755c6c7abf8df5

SHA256
2be60e040a1e4e867c0ba7c991a1d103a1f496a3c74a7b033e1fc48a011f7a5b

SHA512
07793c3b3ebcc5abe2f7823b436400d85b6d8025c5e349109a3119e09ceca09fcf954787ba4357dae20e3168dcda44b72f7fd0a9b0bb1f264c057288c9f7a59f

Download Submit
C:\Windows\SysWOW64\Cmnpgb32.exe

Filesize
56KB

MD5
4d7869ac6da3842e2ecef730076e62e0

SHA1
22a00f9c2132bd5d9998ba052e3e04d7e0f4e790

SHA256
58697ae2e30626b20d86e0e284791acb46470bc37924c85c588824c975092973

SHA512
024375a877bf11e53fccb2bb1fd0852077ae3667588b4fb7e0add26b54c369ff86a3666c12d8a0e8d08d158c2b8483e9ef9a84bd42d1bd75454e1d6f90bd81f1

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
56KB

MD5
f2051bd84bec0feed945e0632ee5f1e6

SHA1
01d7a42bc708e80391a61a8112d1f3e797d9e4fa

SHA256
f128bc02dbd75b82c8bce1601a9f8b495e68ca2cd505ebafd445d3abc231c2eb

SHA512
b1d297f2b4fb4d1055ede92753c3fae4864949e29afa431c5cf52173b8fcfd8b916e85e3351b77ee5774b051ad182e3268e3c8ae39fbfa58b9076ea28c60a1a1

Download Submit
C:\Windows\SysWOW64\Dkkcge32.exe

Filesize
56KB

MD5
4b1aa17dd63d63289636fc77d195892b

SHA1
650b0f25007f182eed127b44723fd04309a75442

SHA256
5e315abff8ccf1cd8451f723d7af349d5e187841a1ff9595bf893d002ce443e2

SHA512
6e3b5498f4bfd8de61687b7b29ff3e4ec4d599a5f1c4cc32b33684a6696465f13dc8dc47c6ed529ae543281c259b13344a454c4f0162b2baf6f80b98eba9f18f

Download Submit
C:\Windows\SysWOW64\Doilmc32.exe

Filesize
56KB

MD5
777608c41f142bd3ee96f3c179629734

SHA1
8069406c7968ea6f07792af213c411921c52bd06

SHA256
98582ff45831b2d1866d5539b67f4b28ae61abf7c16296d466583f1bc1a82237

SHA512
8a144d2352810bdbed001174b91b0c7a4674bcc69edc699e722c770481cc080152d91e2d65a6a07c0378d6607562a9403e3317c380ab9d1a8a39617f34c16a77

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
56KB

MD5
af76bb970b6d344a812b0b5ba44a2232

SHA1
5a9cfdae08ec3e212816bcecad56652c68d17674

SHA256
6d5479111bfb143dd78fe2545cfff0ae79bb93df3a46e1118681fbeffa000896

SHA512
c9c2833f8b364057d38b1a76debb0faa85a8545276d7dbaff447b17b54e9fda38f4e9f307970e6936d8513fdce0d031b6a2b6cbccdf0668d927a51dd66c1cd32

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
56KB

MD5
08a25848271e97a249ed30154ad88bbf

SHA1
2dbedc2477f94fbddb6e66ad12c76ee5f469cba6

SHA256
47b33e4b9f95fb26e3fd43d3fb489e97e1643ee3b64e603c6ddda17dbc179b10

SHA512
203ef3d729467313f33cb8e31cf77f28d11a7ebef226f440552482653700d4fe274eb3c8de85d51d8f0195a848643dc4d5b5017ae316469c937f59fa4e3d2667

Download Submit
C:\Windows\SysWOW64\Qgqeappe.exe

Filesize
56KB

MD5
f03ba88a0dca13db6636c3014b32882f

SHA1
1cfa3e7696ca36273410d0a455e902d598ce78d3

SHA256
7220a3b56190ecdd9c53bf9c719fb90c50ac2ecb48c64b065d9808fa0f18564d

SHA512
0d83f4d512a4a7e9f09f59b14f5c4b9f2683b0345cbdd359e681b4c1fee346fdecc2f413626c553b370df49f56349613f36b9cbf7a1e595df58cb15d886ce0dd

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
56KB

MD5
fc5504a212a42834244650f3e54f3f6e

SHA1
bf1e850dfa37396b5d15e7ea39b68432f54309f6

SHA256
1b44c30e47c57ec584718b1165eae4f193711b4e5af961dcbec646139afdac6f

SHA512
08c0678716874d83faf5ca50460c5c4abedb0bb8e37746bdca4716b575427477f0a08c5a8c94ebe0f635decdce82aa09c2560090bd138a71efca501739c50bcf

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
56KB

MD5
24ab27aa1594ac7f3ffe8ed46d23790d

SHA1
45a5a675c39ab4109e12b02bf99fd18a3c72f457

SHA256
2f9c8129b15e32e16e26c1fb29124a63fdae04b79235fdd515fe94a396cbcaef

SHA512
90c8e11843e9d059f9297c3266765af0bb0a1890b2d3e8fe122b4d79c5055446f201870cb2f7a2dd92b145c3f30958ace4990c57984afb0ee164795f18064b7e

Download Submit
memory/440-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/440-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-125-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/452-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/972-333-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1048-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1232-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1300-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1636-291-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-407-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1760-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2176-230-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2244-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2332-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-116-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2424-210-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-313-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2484-242-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-180-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2848-82-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3088-386-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3112-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3180-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3192-414-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-399-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3380-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3408-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-89-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3480-178-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-106-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3516-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-197-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3876-290-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3916-107-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-115-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3932-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3992-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4068-133-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4092-421-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4212-187-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-307-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4228-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4232-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4240-420-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4308-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-282-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4356-188-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4496-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4592-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4680-385-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4788-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-170-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4844-260-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4856-378-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-427-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4956-359-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-379-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5096-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/5100-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5100-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads