8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 00:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
Size

93KB
MD5

599f2e748d122f4edd0131603aef0143
SHA1

6618cd01c93868054ef2cd292db1f3957ba92b05
SHA256

8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c
SHA512

64d4e2232404ce8774991e9a273efea38b607c4d208e2d358de622efb164531ea0a69848f4ce76781fb630702ab7a2b5201803bdf8395f0ac77b63c3245bdac4
SSDEEP

1536:uj/3YqWwRuiVKVYd4nVFSGy0cQ0z6uGPjGZPsRQ+RkRLJzeLD9N0iQGRNQR8RyVd:2JWmZVKSd4VmwuSFe+SJdEN0s4WE+3K

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe

Executes dropped EXE 60 IoCs

pid	Process
3240	Qddfkd32.exe
216	Qgcbgo32.exe
3216	Ajanck32.exe
3364	Aqkgpedc.exe
1684	Acjclpcf.exe
2036	Afhohlbj.exe
1936	Ambgef32.exe
3132	Aeiofcji.exe
224	Aclpap32.exe
1280	Afjlnk32.exe
412	Aqppkd32.exe
2408	Agjhgngj.exe
984	Amgapeea.exe
3900	Aeniabfd.exe
3940	Afoeiklb.exe
4788	Anfmjhmd.exe
1604	Aadifclh.exe
116	Agoabn32.exe
3088	Bfabnjjp.exe
400	Bcebhoii.exe
4172	Bjokdipf.exe
3544	Bmngqdpj.exe
4748	Bgcknmop.exe
4676	Bnmcjg32.exe
1308	Balpgb32.exe
2188	Bgehcmmm.exe
3892	Bnpppgdj.exe
4524	Bclhhnca.exe
2508	Bhhdil32.exe
3016	Bfkedibe.exe
4316	Bnbmefbg.exe
3668	Belebq32.exe
4764	Cfmajipb.exe
5108	Cndikf32.exe
324	Cmgjgcgo.exe
512	Cdabcm32.exe
2540	Cfpnph32.exe
3052	Cjkjpgfi.exe
4924	Caebma32.exe
1408	Chokikeb.exe
1404	Cjmgfgdf.exe
2192	Cnicfe32.exe
1244	Cagobalc.exe
1172	Cfdhkhjj.exe
3484	Cnkplejl.exe
3192	Cajlhqjp.exe
3916	Cjbpaf32.exe
2764	Cegdnopg.exe
3032	Dmcibama.exe
540	Dejacond.exe
3972	Djgjlelk.exe
2648	Dmefhako.exe
1988	Dkifae32.exe
1984	Dmgbnq32.exe
4104	Ddakjkqi.exe
2208	Dkkcge32.exe
1508	Daekdooc.exe
1512	Dddhpjof.exe
1832	Dgbdlf32.exe
4604	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cjmgfgdf.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cagobalc.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Jlklhm32.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Agjhgngj.exe	Aqppkd32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Hjfhhm32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Bjokdipf.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aadifclh.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Balpgb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dejacond.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Ddakjkqi.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3800	4604	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibaabn32.dll"	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmmmebhb.dll"	Aclpap32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aqkgpedc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3240	2752	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe	83
PID 2752 wrote to memory of 3240	2752	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe	83
PID 2752 wrote to memory of 3240	2752	8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe	83
PID 3240 wrote to memory of 216	3240	Qddfkd32.exe	84
PID 3240 wrote to memory of 216	3240	Qddfkd32.exe	84
PID 3240 wrote to memory of 216	3240	Qddfkd32.exe	84
PID 216 wrote to memory of 3216	216	Qgcbgo32.exe	86
PID 216 wrote to memory of 3216	216	Qgcbgo32.exe	86
PID 216 wrote to memory of 3216	216	Qgcbgo32.exe	86
PID 3216 wrote to memory of 3364	3216	Ajanck32.exe	87
PID 3216 wrote to memory of 3364	3216	Ajanck32.exe	87
PID 3216 wrote to memory of 3364	3216	Ajanck32.exe	87
PID 3364 wrote to memory of 1684	3364	Aqkgpedc.exe	88
PID 3364 wrote to memory of 1684	3364	Aqkgpedc.exe	88
PID 3364 wrote to memory of 1684	3364	Aqkgpedc.exe	88
PID 1684 wrote to memory of 2036	1684	Acjclpcf.exe	89
PID 1684 wrote to memory of 2036	1684	Acjclpcf.exe	89
PID 1684 wrote to memory of 2036	1684	Acjclpcf.exe	89
PID 2036 wrote to memory of 1936	2036	Afhohlbj.exe	90
PID 2036 wrote to memory of 1936	2036	Afhohlbj.exe	90
PID 2036 wrote to memory of 1936	2036	Afhohlbj.exe	90
PID 1936 wrote to memory of 3132	1936	Ambgef32.exe	92
PID 1936 wrote to memory of 3132	1936	Ambgef32.exe	92
PID 1936 wrote to memory of 3132	1936	Ambgef32.exe	92
PID 3132 wrote to memory of 224	3132	Aeiofcji.exe	93
PID 3132 wrote to memory of 224	3132	Aeiofcji.exe	93
PID 3132 wrote to memory of 224	3132	Aeiofcji.exe	93
PID 224 wrote to memory of 1280	224	Aclpap32.exe	94
PID 224 wrote to memory of 1280	224	Aclpap32.exe	94
PID 224 wrote to memory of 1280	224	Aclpap32.exe	94
PID 1280 wrote to memory of 412	1280	Afjlnk32.exe	95
PID 1280 wrote to memory of 412	1280	Afjlnk32.exe	95
PID 1280 wrote to memory of 412	1280	Afjlnk32.exe	95
PID 412 wrote to memory of 2408	412	Aqppkd32.exe	96
PID 412 wrote to memory of 2408	412	Aqppkd32.exe	96
PID 412 wrote to memory of 2408	412	Aqppkd32.exe	96
PID 2408 wrote to memory of 984	2408	Agjhgngj.exe	97
PID 2408 wrote to memory of 984	2408	Agjhgngj.exe	97
PID 2408 wrote to memory of 984	2408	Agjhgngj.exe	97
PID 984 wrote to memory of 3900	984	Amgapeea.exe	99
PID 984 wrote to memory of 3900	984	Amgapeea.exe	99
PID 984 wrote to memory of 3900	984	Amgapeea.exe	99
PID 3900 wrote to memory of 3940	3900	Aeniabfd.exe	100
PID 3900 wrote to memory of 3940	3900	Aeniabfd.exe	100
PID 3900 wrote to memory of 3940	3900	Aeniabfd.exe	100
PID 3940 wrote to memory of 4788	3940	Afoeiklb.exe	101
PID 3940 wrote to memory of 4788	3940	Afoeiklb.exe	101
PID 3940 wrote to memory of 4788	3940	Afoeiklb.exe	101
PID 4788 wrote to memory of 1604	4788	Anfmjhmd.exe	102
PID 4788 wrote to memory of 1604	4788	Anfmjhmd.exe	102
PID 4788 wrote to memory of 1604	4788	Anfmjhmd.exe	102
PID 1604 wrote to memory of 116	1604	Aadifclh.exe	103
PID 1604 wrote to memory of 116	1604	Aadifclh.exe	103
PID 1604 wrote to memory of 116	1604	Aadifclh.exe	103
PID 116 wrote to memory of 3088	116	Agoabn32.exe	104
PID 116 wrote to memory of 3088	116	Agoabn32.exe	104
PID 116 wrote to memory of 3088	116	Agoabn32.exe	104
PID 3088 wrote to memory of 400	3088	Bfabnjjp.exe	105
PID 3088 wrote to memory of 400	3088	Bfabnjjp.exe	105
PID 3088 wrote to memory of 400	3088	Bfabnjjp.exe	105
PID 400 wrote to memory of 4172	400	Bcebhoii.exe	106
PID 400 wrote to memory of 4172	400	Bcebhoii.exe	106
PID 400 wrote to memory of 4172	400	Bcebhoii.exe	106
PID 4172 wrote to memory of 3544	4172	Bjokdipf.exe	107

C:\Users\Admin\AppData\Local\Temp\8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe
"C:\Users\Admin\AppData\Local\Temp\8d1f3cb69d8ace69bf4f6353614ff07b28635b96b601eea6797893a983b4d68c.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\Qddfkd32.exe
  C:\Windows\system32\Qddfkd32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\Qgcbgo32.exe
    C:\Windows\system32\Qgcbgo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:216
  - - C:\Windows\SysWOW64\Ajanck32.exe
      C:\Windows\system32\Ajanck32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3364
      - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3132
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3940
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:400
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        23⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2188
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4524
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2508
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:324
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4924
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1404
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1244
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1172
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3192
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2648
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1512
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1832
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 408
        62⤵
        Program crash
        
        PID:3800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4604 -ip 4604
1⤵
PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
93KB

MD5
d44849ff6dbc9bbbec5b46ced3903639

SHA1
3ca6573feec712f20cce11566a0bf45c1ca741d8

SHA256
6a84070a75d277ae0321be553191844cac4cd4ae3dcb3a560faeb3c4188c5998

SHA512
771a28dc87dee1405bfad28c84275dd72d8adf01b9ee0f300040433247ef2ffa7f57a352802b70e688de7c966214cee843d1c68179dd66f668e967ce4a98888f

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
93KB

MD5
2b85b534d60a323d863921d87e200b1b

SHA1
1dc5009dcd914f96bd21438f1ac3027adff38a56

SHA256
2d628812514e1af639fcc091f5d613502e357ea47cd33de7d73bf4959b77dc89

SHA512
f84352ca06bcf4ab033440603928a5b1fc2382d396790754d149dcf8136ae836908b6ca47196f73d9ebaced754db4159a34011a37d953671ce753211ae44260d

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
93KB

MD5
0e124b92e56e95d5187234d66af3472f

SHA1
8dea31149b410fcf17f24d5d9256b546138aa0e6

SHA256
552e91a0175397975b712a98f375fecd443a98f9098eb61cbe0e73be21708483

SHA512
ed1c054d57e31aee1bdc2cee57b888be4a8a199e77679477fb03babd174b7be5f52a597c546c0f1780446da086ec21cbc58bb956591b9c5d709fb8f607fbd8a0

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
93KB

MD5
a116856b0e51f20110e8dd24e44884d7

SHA1
43ddc33a78ee51448af66c2be3a4c8137c94d2a1

SHA256
8fac2c155589321bfb9fbe99dc3f7d91ec6102c2b62e1455115b85eaa3eac8e0

SHA512
f287aa94d672c944437d080416fc1b4378433137104522b47093aaf2b6c478d59b016b268102266da026a17d51d44e87d19a0495ed66e606ad6a1fe330c3873b

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
93KB

MD5
36c4cb74a0558f8b420e59f6e2505ea5

SHA1
37d98ecc61fbcafd377e2f2cc7f56557172871f6

SHA256
a29fb379e6a364f401399fa0db6261be3b74e60c3525bba3ff4d92c7f5eb6f2a

SHA512
f86f38df378797da296388a815fc23f1edbcd7e53afa3567235eb7450d935efa84cf977f266e4f086e4afd7ca9c978eae54acb2a133e1b86f03a92d1d88a0f56

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
93KB

MD5
f3b5fb2ab2e9228778ef77669a54901a

SHA1
f3d93a5bb98b37bc1eecff7e6175d0c4d611dcf6

SHA256
9356ad095bb53df2e9cec62da93be91f54674c07ff2472cfda251523bd1491ce

SHA512
902f01c9014809c8bc88437000c76a66539c994f742bcc2450ebf91fcaf9f4d04dd4c8da703116869ebaa668eca24e22355a26d61f149d1a4c7a20a635585a84

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
93KB

MD5
178a6735bb5fae4fb9d6875a7304cdaa

SHA1
4c5eec24bfd10251d2d53edb893c3571551f3e86

SHA256
6694fdebe13e07702c498035fa4d2272458194faef5eb54c5451dfcf87e5bb1d

SHA512
a471f789af63efda08e5bd404b516ba6b6a949ddc1091bbcf0ffbf0897be7c404d4abad4ac1f0528a8984ac062e1a4cc4023d8df77be80e4be26989dfb501a78

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
93KB

MD5
6c917d417c031e82d7e8ea4829cee4b1

SHA1
99216f3a2977f1bb854f6406264b48d8a9fbe520

SHA256
ac8a7e67cccec66d8f45226cba0f2da85b769ed756a4ae37625b0c623a1e14eb

SHA512
f45cc91d97c8d045ed61a0b28a4a0306b82974a54b0afb0771fe58c1f42c5f47ea532b184dcdf1b1da771a7c358037ca1fed130e82e65b22d3d589ac01644267

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
93KB

MD5
01e0b6059bd087ba5ba8802b3fec64f6

SHA1
4f61ed39c753286a05d0515edfb692610347920b

SHA256
7850c5dabe999a9d60029a4b29b9cc6ce521239eed5b9e907306b6cebc465c81

SHA512
bbaa48a871b288ea54bcccc438e431c02335553833e86b59a0ae4a754bb5962829520c4e1ed670b53bf3b7b60b2992d561ad1ad5c8e9eb57066ec16362de2302

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
6f0cfd075ca67b9e3aa12c32db034889

SHA1
b99c53f28a485dc01aa64ab10fa7a7c654e6b6df

SHA256
2d3bebcc1d84282b1498b69edb6c04cad1febdfda8b138c96950224ab2910a66

SHA512
91650997ec0b66b9f953f6e2581d951cff91a6366d1c8b69dd102e24137f648ebc856459f590e97099ee4c2cc8ea1d0b998634210b18ed07c4cb8dee1c026541

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
93KB

MD5
7a89d6f2e632701b28e0be6d55f6ce86

SHA1
d63f4115c3c511af0b3651f19b3ccb337cf0c0a6

SHA256
865c49c3c3bdc2642a2e02efcce5a76909fbae838d4b7541aaa03da457028103

SHA512
bb52bf1c144bfa71f4a45c85c2a94c78a05def711dd6c50a9fb23937e52686b2c9249e0e8cf025d2e114009f7eb3e9651e4a5e179d6bb7bb1b48f2d230c09b8a

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
93KB

MD5
d3f71598c9b76f90c4ba85a50f4180c5

SHA1
36b82b2c8b2eac33c15e81487a0d480a66e43cf5

SHA256
003498a6e391f160f494ea4df4a7e1ebc1f7a87e59666957542be30d2f94af73

SHA512
2ccebf78b0659a7770cde8093e1292ff019e6432db25c5eed636a53f5812226b6af5000bca481d67936e094a1e8e3cce24f713d255668931154f6a52b86e215a

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
93KB

MD5
7013d1acd84ae255fff746292bd6f915

SHA1
76409d1be0d8c38074c91a6a9e468123da8fc576

SHA256
8c2e277ea6127ac80b010ab8c8716d818d7e4d29915944df0c4465cb209ba8aa

SHA512
ff3bee337710173a4b6af5a5dfd5bd83dc01c3f2396f337755fd030222cef664fb604b56e8277baa22e2b78a110462fb54cbcac7f02c238a3d7a8d5e2d3bc0e9

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
87ace2afe571922f4182a6e94ead765d

SHA1
9c97fa9918375e1163195c793d179261991ae615

SHA256
14eaaefc4cd5d6433e36bfb0f43e5b948300236b8f78dc8e97c2c859a9b68402

SHA512
a27b58aa1954658d2489257a57be7efb9b34a42f673afddd4692da1b58208219a74d9e9d71d6c7b24db10d11380e13112f0e48655b1c9f88e5e8e4d0eef905cd

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
93KB

MD5
f55ce070cd2923820babe7ebd2e8cc6e

SHA1
b00228138cd4825e22901df750c7422633f2dac1

SHA256
773473e680d2f60f8c44913abe4f4a1b45305f4348d65a07c90dcef905875e04

SHA512
a0358d04696b4fd8174a749f878065a87ba28d8c3b2d99aba43a162dd0bddb4aaea6835c5c0ea1d5157eaa67caa9a255326a1f9436a1a15d004cbb9543098d63

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
93KB

MD5
4002e425c1a7db336b47f67c2cb46531

SHA1
b85ba2b3999678410313c3af289099748f5f119a

SHA256
a1928ac25084fa774b0427f16225f90b442713ac697d30fda5d2e0fbc3521d18

SHA512
328948c0bcf6d07a5276b66c590cee3f615804877ff75303e74b232f7154b360afa05e0c98ff1324a4b1e47697c4bb5aa8373a12652f1bede72ef3864d9b17c7

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
93KB

MD5
12427c5f730ca8b52db51e217186413b

SHA1
50fe9975a680652d4a8f23bfc491a2f6c3526639

SHA256
b49612ccf37389d9d8b6299c9119d2783e6463985b2ddd1aca5aaf5a8107a3ba

SHA512
133198a92c362b04dc1421624bc88ac3eb880b764b0a53caa32ca12528d20a5ca8af22a82c35c152ccc78a98a68516b9742eb3faeb3aa5ceec6478e163bfeb6a

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
93KB

MD5
d4f605ad6f2e5269baae4d800261e219

SHA1
fff7216b7f00d609376c561b3113da1692255791

SHA256
aa7b26447d2e00ecf9e5b013313b4dc6e60624feeb65310cf011579baf6cb4eb

SHA512
a4328767b2580a3ddc438a9e788f425cf0196339110e03ebddbdce042fdef8629399e88e76a00d835f76cacb15ab4ac817d133c14a13aad2faa16c3464b82278

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
93KB

MD5
daccf4e4a913278715675e7b84a10155

SHA1
79378d56bd2d444b42bae5cdab183f1f94c33a89

SHA256
4c32c4b2ffe8b9d6207fc57ddd87c3c81f0f79cf63abdef77e07ed27c33de543

SHA512
e2adffc8114bfe1c5b527ba9ccdecf1ffa130820ab8e1a5d51d457aa2a3e9b2f895796f87f4d4db33593e3bc64da519ba78b34fd9427aacc1e8a1a4ec4f9f4a0

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
93KB

MD5
7d95e04d042a9d5b5ccada08fc7aa53f

SHA1
24494f6147d728e7d2bc11f4876b4be6121f830d

SHA256
28545af75bda082edd5b75064009e250b697ddf26c49fe6e7b87c7103d760da7

SHA512
9bf5e2206a5c9b6a1386a213e80e54b30ac3b80de3b6dfd6e8dd4fc1fdaa363a87fe1ae9a5503b0307b735a2fa4c73d4728778f0f08852e0adc85c7e72aae039

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
93KB

MD5
906f5159f58a631932026799cdac4a78

SHA1
badf838165e5cabb37a0acba8d90617312f6194b

SHA256
ab2926ea8d07119a585aa0b55455741492ecc59a11c1d2b252685b7349e0fb67

SHA512
474465ad9246e81286814c1185ec0e0a1370973f759334cd700a6c663fafe9ce12c40aecb0fd46880e7c5bb3089cd630db2cb6e290d5c5f72805841c52324df1

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
fd8cf550598b9837ff0f6ea87929345e

SHA1
c7404c9466f5165c2dae16b54f0948602016f779

SHA256
eda5f5a2ee5f5ada2e4fd90ea39103dcdfcff5ea237e9dfb657ce404fa100d49

SHA512
9a4f44b4e80c04ada71b4e6b650b8c9489bd48a7a4a12aaa6fb4a65b08cb303ebe9faf753e9367dd3b45e8fe56f4985d9d4589a109a42037ee241bd632a85e58

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
93KB

MD5
00b6146127499a9215b3a8c277860576

SHA1
3dddc47a5200a887927cf3a4f82a50709b6bc875

SHA256
174a297a950118b67c8ae33e60e60047b04544bda95e6c5a3ede4f439c3025b1

SHA512
b7ecdb099525c291e48fda98b7d2aa4a540a1368d84372d45cec76fa71d1c3efe8bb1a1457cb834d3c47ff1da46a1966a0b23dfbee6ac579aca8bceb9efa3ef4

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
93KB

MD5
15c417296fe137659196a2cae663fc29

SHA1
5c05abfd34939bd8172052ae01060b0f131fd3d5

SHA256
734b9ef9d8296e05713cf8c4919247467a1b9bebcf798af83bd35c5b0835569d

SHA512
1f1ed355912a3f96f4357727d68b0fdeee494841d01a2eb5134e5155ab6b5c0fcb0e1ac3d907df7841e1cced7c7e192bb98e7c82b6fcde357a309c9f24a1b6e5

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
93KB

MD5
6fd9ccf929d4cc045536d260bc760992

SHA1
c4ef2c1aa0b2d0dc17fc0419546533494a68eb5f

SHA256
7d652351afb35e64d49dd1425fd2036b57d8869eaca6fd5cf8853461506ab5c8

SHA512
f258d033d42830eea572b76a5f3091acad5d36f1c2b91a1bee564ee1821dfc1e9ab8a0915330e9d83982b464ca22f3b1649b286a2f485758d7d0f2e794bce2ba

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
93KB

MD5
f5f1b52a9ca99e448b40914c526fa99f

SHA1
ec938b0e6f484575001a2d2a52539e3414c28dc3

SHA256
0dc76e4341d647830b3cc6fe2f32716e2913abea5b4af25c2f5e218a365aec14

SHA512
0b67763c12dd1c8205419c4188e663454b9b94dfd3783f3673187d9d7bf2940861f62fab4792be00cfda1ae72d5d0d053c687a39cf50c40c8fde77f00530abaa

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
93KB

MD5
9b816c412426e1867120a9d2a6283c76

SHA1
2cec39fc60d8e7d87d8d5b1207068b6eae7110ad

SHA256
ac2d33dbf79803888e97a701215c24f34427763a83321e7734c6d240b387ddc3

SHA512
f0d9a3ab7fa121a19670c7c47a4ee8ae92dd823c32723038ff0908226dcf0bbd96c73e20b7556385d439eb1410d05ac9ef1548077410638e7c5beefd33df9d58

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
93KB

MD5
7e67cedd9139932b0868d935fd122efa

SHA1
e4c49a4a83e6329e95195da3bcb2aa233fc2c5a2

SHA256
047dedf8d671fddb6901553bf17bc9a4c136c11e201b1d5eb8b676ce583276ad

SHA512
fc426e427633c510adc5b06055bdb72474160299578886ed4163d0c9363567660d4eb824519681ca01a7fc136d869603526b254d047022948851179fd481ccc7

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
93KB

MD5
a2713091511b2c2c1ca8f4010435b0cd

SHA1
ad52a4f5de5e24eca20a50ab0411a5fcd644407e

SHA256
a251dc8f696911e1c48e2ec2afbade6e8680fcc4c61ac4ae368ecd14b9108324

SHA512
ac3d5f31a0090b240454ab81a45543554302044f3bdeb9f68d7069ac05dfa9e8fa9e40e75a125b97e2413a45d76e79a584f1475abba93d69ccbc4ec13d96ef36

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
93KB

MD5
f9c1c0ba0330126d45ebdbd765bcb3cb

SHA1
c1d195e9f411ec1944c90c0f495d67fefbd4cc57

SHA256
98a3fde743a5bcf53fe0a8aa1e5e3ded649a49b6cc0e6a640f9723e7da1d1666

SHA512
f294bd426f549154f335bce0a61ed42aa9fccb0056a1aaddc27e8ce46adcfcb595c7f72b7e6d9f6b86f06a0a753c355643358b7b1336874ba251dd6e3f609c14

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
93KB

MD5
298437734d83986b44a89bc2f247416d

SHA1
c44044eb12ed86417c0e61e9d96ba16380fa8a42

SHA256
f4bc4c7db52f371b8b6f6cd4bca73cb0bcc83518f71b50ae88f2f0b0e8b9eeb5

SHA512
35d67e259f082d6bd7ceb32c84e8b3f5e90463c1b3847b3ffb4b87ea02a2ba3c2f6dd9438c9b9a92ad9414d28267fe110c5b18e065a6e31caf59bf403196b08b

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
93KB

MD5
d23d81ac5aa43db201e92a7799a1ef62

SHA1
7cea1b41027b3ac51c2f37343c5d1b40da645998

SHA256
d4bca21e441558297ddfb16ca98ecb357b0027cfe7dbd09a98997b1c876326b2

SHA512
18b89c90402f995ffbfa830f5d5ab1ac2d5cd38bb8effd299436f7361fbda3860c4464727ab0ddfeb7abbb4d0451239ff758b638193f638cfb689f09b41257cf

Download Submit
C:\Windows\SysWOW64\Cjmgfgdf.exe

Filesize
93KB

MD5
a50a7d2bc5c046adeb2185e594d44e97

SHA1
cd0a4a8a3dfaf5e79ea63cf335fd04c81268966b

SHA256
5d0398ba40dc7641e399bb56e0c1cb4f368ca64638e924d88d4ff7d9e83fae4a

SHA512
b8a814b49ffd8cc993d5c9ce00d61890bb45a489ae565341d66e07e5333e4e8f95c7d33a9c6519fc504abfcb4b5bc41e3a4765afb220bdd9fb6fb617e1b1019f

Download Submit
C:\Windows\SysWOW64\Daekdooc.exe

Filesize
93KB

MD5
10d37c6bccb82b4953cb708bf347260d

SHA1
ebe8f9d0544ba8bbeabb84b9f5bb1d34fc73d820

SHA256
5a20233a1940b9ca79df5edd734bb5ea48e123cc8e3c211e75507359aec6cb13

SHA512
fe1aa1c00d028d59418396e0fee9db665f094612e843a6e625f87aa3e013746edac3439a38d662f4f05584a31a89b08c12b1c86619776a4250104c4c3c0b446a

Download Submit
C:\Windows\SysWOW64\Dejacond.exe

Filesize
93KB

MD5
753593efdf0e12b743abe1b54db070a4

SHA1
29eb910e20d330251ee1d9f98f6e6c9d5353ddf1

SHA256
06c3d03f2b6073b3ff2f66d7cdac78c778eb623cdce26b5ea151d1db6ddf4703

SHA512
46300c66280352d23b5f770a8334649ea35ccbd21247886f0ca1857b6253e9f207d2d060abb1ce31859c81adc55d794bda6939ba56c0bac92e29256754d1137e

Download Submit
C:\Windows\SysWOW64\Dmefhako.exe

Filesize
93KB

MD5
1507fc613ccf1f203c67cc4b687a6055

SHA1
68907b2a7c056581ba6ce27cbd0c2a32d7f7e9ad

SHA256
e8c995627af62da34b92b811ec8a5172769ec9f253ad5cd4b463de71fc8949d3

SHA512
c6a541b36dca1b919627285d90789045042488c20c0b9ac39d132be97cd2db53e288d03890220617ae778e8f8f70a1722f6e5e3834fab5d8864d0035759449a2

Download Submit
C:\Windows\SysWOW64\Hmcjlfqa.dll

Filesize
7KB

MD5
82b19e0ff6b25bce3e8f56cdc6279f1a

SHA1
a53e4530e42630c6e956254861179d1d0cff0647

SHA256
2476e3bc0254c7604b34a6ca8a2bf7c82c72845137b46649fee3e5ddee9e9de0

SHA512
1d46e2a5cf451d545f85a67ab78e1c546240d6a232bf861bdb1c5876e265a742550b3c4998751168778e9fd52582dcc748f8014e4eded1267ec98823c58c3766

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
93KB

MD5
e86b8642e2eb5cbc92d50f68d1a75a2f

SHA1
c8d7946efbea12dda03da94d2bfee73262fa917c

SHA256
ebba26cf6c3be080c48d872c6161f2151dc31087395aafb3c421e3ab40e4d191

SHA512
7e428b005eda611654eb25b23bbf43d6cf29774bd0938e423c6c44344f51be4186626ea70c7c996affe25cfd8707ebbe57e6a63615b5bc4cf6823aa4ea77151a

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
93KB

MD5
7756c5f987a95acae471c5614f79ef9b

SHA1
5515202a6a0d943efa35ab5b9a0e84ae2aedbf2a

SHA256
c996aca6774dbaf4a8c6f46429c1ab1b1436b55bab7023fb48a78d69aebd127a

SHA512
2dceec75176e306aaf68fadf719e52c4914b36d7a3341264cc5d016996ee15380cafc0feba28f3e7cee2801674c87b57840d2b2e534103d8a8b7a489a77dec53

Download Submit
memory/116-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/216-20-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/224-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/324-301-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-257-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/400-169-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-177-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/412-88-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/512-368-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/512-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-395-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-106-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/984-195-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-356-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1172-422-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-415-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1244-350-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1280-80-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1308-214-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-336-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1404-401-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-330-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1408-394-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1508-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-146-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1604-231-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-40-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1684-123-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-55-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1936-145-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1984-423-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1988-416-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-48-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2036-132-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-303-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2188-223-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-343-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2192-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2208-437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2408-186-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2508-254-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2540-316-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2648-409-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2752-79-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2764-381-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3016-262-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-388-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3052-322-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3088-252-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-63-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3132-154-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-436-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3192-369-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-23-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3240-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-113-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3364-32-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-429-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3484-362-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-187-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3544-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-342-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3668-276-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-314-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3892-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-204-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3900-114-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-375-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3916-443-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-124-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3940-213-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3972-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-434-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-270-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4172-178-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4316-271-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-321-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4524-240-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-282-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4748-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-283-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4764-349-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4788-222-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-387-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4924-324-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5108-294-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads