b10dc274b3311d1ba74e012d8018568c8812284014ba927b2f19f9561e712a61

Analysis

max time kernel
103s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 00:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7755fbf3c19721a6fcda2bbbca642020N.exe
Size

64KB
MD5

7755fbf3c19721a6fcda2bbbca642020
SHA1

c7b8d7b39b237566651b008399cf77d3f5859ad2
SHA256

b10dc274b3311d1ba74e012d8018568c8812284014ba927b2f19f9561e712a61
SHA512

53edb37fd04e07a5dac75cfa16e0f65f4230af63145369fdc982b86d1e88ad619dba91e5668259e18685939f7c26f4de5f388f26886ebf40929d1d47456d4c0a
SSDEEP

1536:gUcJalQBSV1wXX6Tm1Uu8xK+N5SDfWqdMj:g/QQQV1QK6ZZ+XSTWq8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qddfkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pjmehkqk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pcbmka32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjmehkqk.exe

Executes dropped EXE 64 IoCs

pid	Process
4756	Pcbmka32.exe
4164	Pjmehkqk.exe
1164	Qnhahj32.exe
4064	Qmkadgpo.exe
2904	Qceiaa32.exe
2868	Qfcfml32.exe
2892	Qmmnjfnl.exe
5072	Qddfkd32.exe
1504	Qffbbldm.exe
404	Anmjcieo.exe
1632	Aqkgpedc.exe
5024	Acjclpcf.exe
3568	Afhohlbj.exe
3788	Aqncedbp.exe
4456	Aclpap32.exe
464	Ajfhnjhq.exe
2144	Aqppkd32.exe
3620	Agjhgngj.exe
3460	Andqdh32.exe
2400	Aeniabfd.exe
2192	Acqimo32.exe
1192	Anfmjhmd.exe
4744	Accfbokl.exe
2944	Agoabn32.exe
4348	Bjmnoi32.exe
4548	Bagflcje.exe
3084	Bjokdipf.exe
2836	Bchomn32.exe
4172	Bffkij32.exe
860	Bnmcjg32.exe
4884	Bcjlcn32.exe
1748	Bjddphlq.exe
4752	Banllbdn.exe
4584	Bclhhnca.exe
1348	Bjfaeh32.exe
3344	Bapiabak.exe
3040	Bcoenmao.exe
2888	Cfmajipb.exe
1692	Cndikf32.exe
2368	Cenahpha.exe
4376	Cfpnph32.exe
3604	Cnffqf32.exe
4324	Cmiflbel.exe
3856	Cdcoim32.exe
2196	Cfbkeh32.exe
4080	Cnicfe32.exe
4760	Cmlcbbcj.exe
3112	Chagok32.exe
4084	Cnkplejl.exe
4000	Ceehho32.exe
1572	Chcddk32.exe
3968	Cjbpaf32.exe
1144	Cmqmma32.exe
2824	Calhnpgn.exe
4136	Cegdnopg.exe
4364	Dfiafg32.exe
1456	Djdmffnn.exe
4008	Dmcibama.exe
2120	Dejacond.exe
4088	Ddmaok32.exe
4748	Dobfld32.exe
748	Daqbip32.exe
4568	Ddonekbl.exe
3600	Dfnjafap.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mjpabk32.dll	Qnhahj32.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Jekpanpa.dll	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Hpnkaj32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbmka32.exe	7755fbf3c19721a6fcda2bbbca642020N.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Gokgpogl.dll	Qceiaa32.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Bagflcje.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Lipdae32.dll	7755fbf3c19721a6fcda2bbbca642020N.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Aclpap32.exe
File opened for modification	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Banllbdn.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Pcbmka32.exe	7755fbf3c19721a6fcda2bbbca642020N.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Pjmehkqk.exe	Pcbmka32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Andqdh32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cnkplejl.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File opened for modification	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Andqdh32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Qlgene32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Qnhahj32.exe	Pjmehkqk.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Anfmjhmd.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5160	3380	WerFault.exe	162

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbmka32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjmehkqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7755fbf3c19721a6fcda2bbbca642020N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfcfml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djnkap32.dll"	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnkaj32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daqbip32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lipdae32.dll"	7755fbf3c19721a6fcda2bbbca642020N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdipdgch.dll"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7755fbf3c19721a6fcda2bbbca642020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcjlfqa.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkobg32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlklhm32.dll"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghekjiam.dll"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qddfkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Accfbokl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4756	3804	7755fbf3c19721a6fcda2bbbca642020N.exe	84
PID 3804 wrote to memory of 4756	3804	7755fbf3c19721a6fcda2bbbca642020N.exe	84
PID 3804 wrote to memory of 4756	3804	7755fbf3c19721a6fcda2bbbca642020N.exe	84
PID 4756 wrote to memory of 4164	4756	Pcbmka32.exe	85
PID 4756 wrote to memory of 4164	4756	Pcbmka32.exe	85
PID 4756 wrote to memory of 4164	4756	Pcbmka32.exe	85
PID 4164 wrote to memory of 1164	4164	Pjmehkqk.exe	86
PID 4164 wrote to memory of 1164	4164	Pjmehkqk.exe	86
PID 4164 wrote to memory of 1164	4164	Pjmehkqk.exe	86
PID 1164 wrote to memory of 4064	1164	Qnhahj32.exe	87
PID 1164 wrote to memory of 4064	1164	Qnhahj32.exe	87
PID 1164 wrote to memory of 4064	1164	Qnhahj32.exe	87
PID 4064 wrote to memory of 2904	4064	Qmkadgpo.exe	88
PID 4064 wrote to memory of 2904	4064	Qmkadgpo.exe	88
PID 4064 wrote to memory of 2904	4064	Qmkadgpo.exe	88
PID 2904 wrote to memory of 2868	2904	Qceiaa32.exe	89
PID 2904 wrote to memory of 2868	2904	Qceiaa32.exe	89
PID 2904 wrote to memory of 2868	2904	Qceiaa32.exe	89
PID 2868 wrote to memory of 2892	2868	Qfcfml32.exe	90
PID 2868 wrote to memory of 2892	2868	Qfcfml32.exe	90
PID 2868 wrote to memory of 2892	2868	Qfcfml32.exe	90
PID 2892 wrote to memory of 5072	2892	Qmmnjfnl.exe	91
PID 2892 wrote to memory of 5072	2892	Qmmnjfnl.exe	91
PID 2892 wrote to memory of 5072	2892	Qmmnjfnl.exe	91
PID 5072 wrote to memory of 1504	5072	Qddfkd32.exe	92
PID 5072 wrote to memory of 1504	5072	Qddfkd32.exe	92
PID 5072 wrote to memory of 1504	5072	Qddfkd32.exe	92
PID 1504 wrote to memory of 404	1504	Qffbbldm.exe	93
PID 1504 wrote to memory of 404	1504	Qffbbldm.exe	93
PID 1504 wrote to memory of 404	1504	Qffbbldm.exe	93
PID 404 wrote to memory of 1632	404	Anmjcieo.exe	94
PID 404 wrote to memory of 1632	404	Anmjcieo.exe	94
PID 404 wrote to memory of 1632	404	Anmjcieo.exe	94
PID 1632 wrote to memory of 5024	1632	Aqkgpedc.exe	95
PID 1632 wrote to memory of 5024	1632	Aqkgpedc.exe	95
PID 1632 wrote to memory of 5024	1632	Aqkgpedc.exe	95
PID 5024 wrote to memory of 3568	5024	Acjclpcf.exe	96
PID 5024 wrote to memory of 3568	5024	Acjclpcf.exe	96
PID 5024 wrote to memory of 3568	5024	Acjclpcf.exe	96
PID 3568 wrote to memory of 3788	3568	Afhohlbj.exe	98
PID 3568 wrote to memory of 3788	3568	Afhohlbj.exe	98
PID 3568 wrote to memory of 3788	3568	Afhohlbj.exe	98
PID 3788 wrote to memory of 4456	3788	Aqncedbp.exe	99
PID 3788 wrote to memory of 4456	3788	Aqncedbp.exe	99
PID 3788 wrote to memory of 4456	3788	Aqncedbp.exe	99
PID 4456 wrote to memory of 464	4456	Aclpap32.exe	101
PID 4456 wrote to memory of 464	4456	Aclpap32.exe	101
PID 4456 wrote to memory of 464	4456	Aclpap32.exe	101
PID 464 wrote to memory of 2144	464	Ajfhnjhq.exe	102
PID 464 wrote to memory of 2144	464	Ajfhnjhq.exe	102
PID 464 wrote to memory of 2144	464	Ajfhnjhq.exe	102
PID 2144 wrote to memory of 3620	2144	Aqppkd32.exe	103
PID 2144 wrote to memory of 3620	2144	Aqppkd32.exe	103
PID 2144 wrote to memory of 3620	2144	Aqppkd32.exe	103
PID 3620 wrote to memory of 3460	3620	Agjhgngj.exe	105
PID 3620 wrote to memory of 3460	3620	Agjhgngj.exe	105
PID 3620 wrote to memory of 3460	3620	Agjhgngj.exe	105
PID 3460 wrote to memory of 2400	3460	Andqdh32.exe	106
PID 3460 wrote to memory of 2400	3460	Andqdh32.exe	106
PID 3460 wrote to memory of 2400	3460	Andqdh32.exe	106
PID 2400 wrote to memory of 2192	2400	Aeniabfd.exe	107
PID 2400 wrote to memory of 2192	2400	Aeniabfd.exe	107
PID 2400 wrote to memory of 2192	2400	Aeniabfd.exe	107
PID 2192 wrote to memory of 1192	2192	Acqimo32.exe	108

C:\Users\Admin\AppData\Local\Temp\7755fbf3c19721a6fcda2bbbca642020N.exe
"C:\Users\Admin\AppData\Local\Temp\7755fbf3c19721a6fcda2bbbca642020N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Windows\SysWOW64\Pcbmka32.exe
  C:\Windows\system32\Pcbmka32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\Windows\SysWOW64\Pjmehkqk.exe
    C:\Windows\system32\Pjmehkqk.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\SysWOW64\Qnhahj32.exe
      C:\Windows\system32\Qnhahj32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\Qmkadgpo.exe
        
        C:\Windows\system32\Qmkadgpo.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4064
      - C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2904
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\SysWOW64\Qmmnjfnl.exe
        
        C:\Windows\system32\Qmmnjfnl.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\SysWOW64\Qddfkd32.exe
        
        C:\Windows\system32\Qddfkd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Qffbbldm.exe
        
        C:\Windows\system32\Qffbbldm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Anmjcieo.exe
        
        C:\Windows\system32\Anmjcieo.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\SysWOW64\Aqkgpedc.exe
        
        C:\Windows\system32\Aqkgpedc.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3568
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:464
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3620
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4548
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2888
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2368
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:3604
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4324
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3856
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4080
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4760
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1572
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        55⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4136
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2120
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        62⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        65⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:3420
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        69⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3988
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3380 -s 396
        76⤵
        Program crash
        
        PID:5160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3380 -ip 3380
1⤵
PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
64KB

MD5
54a7a100b64fb5dfb7ef74715ed21c8f

SHA1
5febf7ad30fe9a9a8e17bc0e78a450cb1936cc28

SHA256
953d9a7ea4277f61a6c9f98bbc306cfab87a882bc085b455e49626a38808fbdb

SHA512
41606475312e0409c8e720106342856241f06793f6733acee6d84dc5193e8fd693a6463baf99ba168badade0c9d282fa5659128b00f9fa4d67881912171a5ba0

Download Submit
C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
64KB

MD5
026a43550cbdb66393403a5ee3623070

SHA1
eb4f24923b36d638452937adc9cffa0c7c407b09

SHA256
1791c1a404ff731ed42bfe76c06e659b4f8a5f9f8ba7a7dedb76471dad5d338d

SHA512
429ebb26570ec102af48e22e9650c546c43ba7df8c5fff55da371417331faf70883ea00bd24d10b8728fd53e62e2876d73cab62fa09753d32cbfd4f4075b0cb1

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
64KB

MD5
e6d58b892b0fe7349beedcd871970ce0

SHA1
369e66b8611502a46a5578fb914335bc5dbcf040

SHA256
e8d62a1c4a92ee4897f2bf3d414ae90de9c6c7d084d0e722c699b449750a0eec

SHA512
6d5254d3a18727a289c2f054a3cc3e5816e0ac83313dc5f28689318731ba115e11865352c0fafb8c98e2615ef2703b83dd33b9842cd5f21cc2b26a40f3a46e77

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
64KB

MD5
14f3b9d44df24557823e9458a7f4f268

SHA1
92a8b2c9a6fdd5a7f225d9e10ab5c052d2d5ff93

SHA256
e6a5ee4f14a4744d5cf3ecf59cf37ff7448d1c13c3285c0af2ec7c237a4bf964

SHA512
25aa2f8fcffd8a2a851c1c0fdc3b9486c444429275090bb8d1d837ee419ca086d9bc689f8b7c6e86276069117ad4729497d9635063db8d549f54c9fd1c137d26

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
64KB

MD5
feafd86b2503809c0b1b08326d2c3c26

SHA1
815369f66b4f7b3d432039337785ed238d361195

SHA256
e565e4c9bade924e82ecd65b366823b3c75cc2d93411ea0d0b85f01e03cdd790

SHA512
0a677367149f4ce1ab542ca823bc4da450458996a95aeac3e5aaf2d257938ab510af212a6b88593e6bbb1db444e9bc8a5f4e084a4774e19590e8f8d23a9464f8

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
64KB

MD5
8158710a2bb6fd19187fc3d3fb3424c1

SHA1
56a0a80059cebfe9c8efc9b86dba8e62f0a5e3aa

SHA256
6bcfd31ac981a2a26538d929918202b59efd98dd9f9b2a068c791d5a00342d1c

SHA512
e9f8c24dcd865106f5703513131b8b0426a705565b622cbf1779ed8851fe817a49d3281c377c5281c5eaa0757f133eef149f1eac6e36013e4ab9411728478d13

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
64KB

MD5
c10f4483d6155adb3de5ba3a68bf84f3

SHA1
4c5d7b79ff422f2ff0e2da440bebdf9d1f07d936

SHA256
41cba5abd04a5c4540f22614137174ad45a6e9ff5e7b7e63ab07ce0008288934

SHA512
29a233c0c70f092f5e150a93c1401a9c98ecc42736772f94e2246d67039a28051213ec23484e9100ff103a838ea9014e0b5a05a7d2929f948ce72074ac69ae17

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
64KB

MD5
3b6433b742220206f443b4b83ca51ddb

SHA1
c6adc243fb54d77684c259b84e960c1cec665ad9

SHA256
96df529fecc7a8bf838d56ecb412a34bd79359e0f4861c0233320742e5bf9ff9

SHA512
edd219638eaaf6c1c1054508bbfdc1dc7a06684a9680548ffeb73d40962dcba0297f6e0a9eb92f8086d012ec7acc449f9e5d4f4335ffa8190a6e470d01b2bea1

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
64KB

MD5
78deab84557e92ff213f416655172fd3

SHA1
096d19ea5a75ac342fbd7489a314fd9738e8768c

SHA256
8f7478df5734c84297570e803d41d1e59ecf53a96c0372ebcd7d153003168116

SHA512
8b43091bb994af8315fe66507d1bae005d15c4b3c639a604a132018093b14cbba6790585277ae0feae746fa78aaed1f96f09a1498fae10515e5a5327c51415ab

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
64KB

MD5
d7b216a7b414a35cb4755e36031d4801

SHA1
956a531b79eb95ab79fa5c5c9478fc491dc3807a

SHA256
1e80588915f9b68d240a75efbe773a20280873450f984a02efae7ce30929f56d

SHA512
eea3d14a586226819b6a854355361bf9ac0240877e95810d637041f2f22201d09bf012e99fa7522a7d830f4280abeb09ab95f933b22d90078f702c63ae7b3896

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
64KB

MD5
178d63dbdf7c68b0eb602598afcbc671

SHA1
784766f289335c4773a2f84d58b6901bde5d48a8

SHA256
bb8545b26220e44b96774c7d803b0be1a1dfbaa60ed8490e5636391ec63d8a3b

SHA512
21d0c425cb97947721549b651b148e9b3d0dcad8893ad939aed229f1ad3e748f725c9c7334960c954da74cbad0d39f858ad095e79191403f1b185dd637a594ab

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
64KB

MD5
27aacd5c034490da146e8bd34d0c74b7

SHA1
c0d354716f710272a1942e9c9139eeed4edc3c9d

SHA256
be61c7ebb5d2eefb62c142d74f4c9957ffd133caabba37a7454b6c18f4e1e82c

SHA512
0723131887656d2dd396066e0cd658337b1254ad8338b4ba18a9d2c29d7415e7f662dd292f1abea91772cfcb3bf57883e2f7a103828861e92a79f346a5bd758f

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
64KB

MD5
c4d70b4ea7b9f53a4b3b36235ab6b473

SHA1
73c9dbc774027c0dead8b273b78bf50549a55b23

SHA256
0cd06f7f12efdd608a18843e998fdb9dc0d09f4660ff65b550ccf8b471b48702

SHA512
bee66538b76ee5d0ff13263a472a150389de8364fa4adfeea32a13395422eb016689c7ce2585ce45c55c550ee4df596c51903d8fb55c959bedab63e735cf2b16

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
64KB

MD5
be80eb818b7d78fe4ed6c085bdd3da20

SHA1
ea7dfa8b139c7915fe0037063c80c96a4b78b10c

SHA256
a3395270f7517b9287ccac634bc80012c8bb1aab5dbc9f2532a90c23d8c5cc8d

SHA512
66316233d01f24898f47eab8341bf735eb2ee53c0155c1c925be8f39c0b4f3017ae3ab3f78c7d2dad0a6c8633608db2d0f90caf174a9ae5320e9568729fce969

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
64KB

MD5
292eb37745da70bbc15e3831d9191804

SHA1
0e5da69cfec86801a3235ed128d74d877b1d8264

SHA256
df5fccdd3d6fb6e1cba15fa07e1e6414c9b7d3150a249b2aa387fd2c174d2db0

SHA512
c5de5dae54f0318c9bb9d888359ad03adc44ad8e3abf5a59957d7e975385f4f6d640e6bfddb718cd22a1bdc47a08c40b30cbeaffa6ac7eac33c6cd1d4282d76e

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
64KB

MD5
e5e15db6d1672582f4c7061d08168c89

SHA1
cab264fc085e3cc054ac6b5e0dae52c9351bfe76

SHA256
fb6b1edfd863999f466650d7a2cd064a13ce6e751ac4fb00cfb33cb8a605c2d7

SHA512
7693c131df430a18c2cc999c5c7cd6ea53adbb64b71c5604f4e038ae546e755b20861aeccd31c7a32301950999fe8592cf6b3260bd97ccc765e5ceee57056a0a

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
64KB

MD5
d540929dd7aa49f72fb6a41d687a758d

SHA1
667ee3d61f31642af24181b79702942baf378b3a

SHA256
1bf67321d8308d6d75024f849ee2510e1317b7880948ff64d281e96800902db9

SHA512
8a9e270fe49d4e8dc2049faa820ac0e4379567ac93188a9a090bbbd36e4c176a2d11c7f7230e52f0f473efa90a69ea7dfb1d4d0a891f32c504134b87986001cf

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
64KB

MD5
1715517c250dc4e8d4b974ee937a8850

SHA1
abbe40ccd9b1732549930637e079a8156e2c3851

SHA256
be47af7423562ab29aca6821beaf945fbe5299e6c34edcd4e5a21f6abc81ba2b

SHA512
a04424ac23158f99f304c55a42b4b8a943ab0c0b609bac49a2428b73ad0aa0c5bfa9289652b2c8ca3211a98b49bfb1dad334a26458fc1f316338cd41c14d4299

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
64KB

MD5
9185df713dc8b109e3ca1dfdef25f8bc

SHA1
74c9a5cd41bdd55df5f869dfb9793487a10ee065

SHA256
4eb74e2ddbf57112a6c20735bfd749d8816f5d9e5c5260e932e4d48505596152

SHA512
ef2bcc5364e64007b918e367657c94f30d9ca3fa257fa90b2aed212adcbd743c850c76bb7160d65e95c38b45b47fed0e568145b80ed3a46564d8c2b9d88e0310

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
64KB

MD5
ca9edd547536de4d2670c89aeac745cb

SHA1
d332fb051297bb4adebfe4d4687e6df276283d3e

SHA256
c3c1f3f90182382d8a8a3c56880903a5cc7326d94f0c7386106c742bfaee522d

SHA512
d31c97067da7d488e81b3d1f6d2389bc1f3a4da1a467fe6fbecec68aa2fb2cd7104dbfc1d061f904bfe0c1a9140978df00c0dfbddda3025fbc69d789759d8206

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
64KB

MD5
a1f68e77f3e1169354dd1e7e54cecb32

SHA1
2cf44b87d1fba8dfb80b5e7adcb25e8a6b6af1dc

SHA256
170108e86f2d70c3d63edf4715605f9d807eb00ccaeebe8178b4f2874b0b0aef

SHA512
f8eda34fad4314eb4cbb9ed438cc3a4b241f00b60f040f46de626b1e260d45fde530911198a84074078b9ffbca3c951def8299a2ff7469bc6c8b0d2ed5d5cbb8

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
64KB

MD5
17ca26a34437ad234bde7a33e19d2bd5

SHA1
f2fac760dadd84e01b1720304bf4eb40c990575d

SHA256
4c4185c0f541f15c2b26701a6f1239492be1345d3e5734f5526075c7eedc90a5

SHA512
4a62cdcb1d9ff56909422aa8a95b98ef602c74f66d26cc889f032eaeb292f47a83d902664eedf15c5ba8c7f2cf868cc74eb7565cf38acdfbc0157f3953fcd041

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
64KB

MD5
4e4590f9a3b225fbd4824b87f2899630

SHA1
cfd4fbb2d9c335f9763d319449ff854ccc88e70a

SHA256
448a4ac9183e5e80aa2869a8321550a18fb0e4716e762036eb033d8dce36c028

SHA512
30b01339982309a8a4342e52e6158d5107a6cc77018c1689ee7a3cd9aa5ee74a2f5c74e6baf6803ed33919528ef51897f88155fc4ea578c6e1763211131bc2b2

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
64KB

MD5
d166b242c709b2348451a514f739636f

SHA1
7e895b37a8ba7a89b5d924241da50458086a2e79

SHA256
9a8151cd7fba05e680eb32e34479df76a07b2a3e997020c3f2ff4dc671757b4c

SHA512
774bdf4285856ac65c4f54a27b2c457cec4a06d83c93860fe3d44ffb573040ed713b97b0c8900b2996c8fd94d1d31803de44cc12b535c2ca0c5530fe59d3ef80

Download Submit
C:\Windows\SysWOW64\Pcbmka32.exe

Filesize
64KB

MD5
979da86cddb1d89dbaa7ebf3837ebb9e

SHA1
21ccf4b0370cff2417ae6aec2e02b69ef3b622f2

SHA256
a1a6fd730cfedc39ac6a9afb8c5a6c08bcd0d263bb0be6c0e392a97de56b11c2

SHA512
126f1d0f22d54d296d126848493af1ceb266a9dccff1d47a555bf76f0f540241243022d46ac9f36f3e72a3185025f493be63da34869efcc2282c13ff365af870

Download Submit
C:\Windows\SysWOW64\Pjmehkqk.exe

Filesize
64KB

MD5
09765e09b2bb14a22ff6fc4938464c68

SHA1
dffa29ace7c5b51969343fa16ed811f0e235534f

SHA256
f871c6595c90aafd4502baed523e3f280b82d9ba33d42c56d30c1ad25341f2c9

SHA512
1011c1aa2470dda1075ebc3cfe73f6f37bbc46c63ac27ef30cd8f7fbbbe6925e8afd2184328bdca8e54553bf2ec0ae666022f0c1803a1a2c0cd8d14b49400960

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
64KB

MD5
8c9b2a19e9cfb3fd16127cfc2bb606ca

SHA1
80b4a538978c4330dcc5dbc5d2ae66e7ccb51d8d

SHA256
d31167404748ebea525d78282a4a6f979a8398cdaf1eea3f2adb5efa319d052c

SHA512
d06c7f3d2ee99210a6140843af9d3f585c1d6d805c5df86818e62122f1f76c87be097200a8d209aca6bdd4422af010c00ae1c7a3d5e3a70ff2cec0d90a3bba90

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
64KB

MD5
9d3e6d84e8d5d44771546346d6918bce

SHA1
bc0566edb0a01ee3e8a13a319ca703ebc45713ab

SHA256
9689acb2e2228e4eb16a14542e397e59b230e4c412f61249eb202f3c20036a5f

SHA512
1e0ea150b61005e6993602d92cd511b017e64b73b3136e85c2133cb08ac73be4b9578ff7ae48998cd337f12d0fdb78ae42c83de24b5b82ecbb96317cfe3c721c

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
64KB

MD5
83c02c32f10f9c2e3723c614d5b8a776

SHA1
1de1cc6b8483140b9b0057156bc5f7d5e0ec7c0c

SHA256
36ee570b89fb5e89e93e69888bdda1f4222399f535106b79d3bf1795a8064535

SHA512
e835d66d70d6d1e9a557caf6c6b32b3475a090dbd4fb6d866ab6719d803dadcef55a46eaec1e41c8da08ddf7400dab0ccba9926c9134fc26a0a39ed209b8436b

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
64KB

MD5
9ac5cc0baefc7cbd7fc0082f0226cc5a

SHA1
f3294650afcc16b200fa07754a04fac739a7d2c4

SHA256
c27f22f021afbbe25a7814b59258655839dcbffe7d127dc773c59b81efc5f88d

SHA512
77149b1ea542a60bf5e34841f22be03d62158f183479cac6ecb19dd691da99829181bb26ccf61f9e96c7c81a21228b82d28eb0ad6fdb07e0a6fb57a9a178b154

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
64KB

MD5
339ab0d57e495260ca5d8d8737ca00aa

SHA1
fee2e8074a68669a947555ab814d6edac74ebcc2

SHA256
f3dc65af70afa3392053dde387df23c70ae0ca74d8f63de5008ff42b81d8a351

SHA512
9a1e159698fc3600b18de8dcc84fdc43874b2bdfb1b840347f92a884d50ea50bf81c90dda7bea37760091fb31c5f3b2550e9ec3d62be00b08ae89123210096f1

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
64KB

MD5
59f6d70487bffb60da83e82f3ccff469

SHA1
79c2206f883a81561bd5f4748f80504cb6ddafb6

SHA256
9ecfc15a3382f71d3fc32ddc7dbff32c165c542ec0f21425f94093eed4a2a556

SHA512
06bee41a5b579a0f8e3b013c310bdebab64860deb559596c703306417ee76f3aa76df928aded8e788d33cb8cdbe013f78102305abafa4a6e5e2d2b468a7f0ee1

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
64KB

MD5
66a6c89e2c964cff301197ec27895674

SHA1
e55c1ac01dbe08971a3e6148241e869b6b793f4a

SHA256
6559a07c459d1077a5e1893ae3f80f16af72ef6baf70c90d5fd67ccf24001078

SHA512
95856911d778b83aa3899010b96999552ebb826b9e4e712f82e773c47e161ad19e66c0383a6b9ac6b80c96a2c80160af4ab783437cd5b0a6ecc0f478be3c306c

Download Submit
memory/404-170-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/404-81-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-225-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/464-135-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1164-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-189-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1192-279-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-301-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1504-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1632-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1692-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-349-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-145-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2144-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-180-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2192-269-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2368-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-260-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2400-171-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-321-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2836-243-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2868-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2888-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2892-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2904-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-208-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2944-293-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-384-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3040-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-234-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-314-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3112-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-308-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3344-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-252-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3460-163-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-197-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3568-109-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-350-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3604-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-242-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3620-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3788-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3804-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/3856-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4000-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-116-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4064-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4080-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4084-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4164-98-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-253-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4172-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4324-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4348-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4376-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-126-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4456-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-307-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4548-226-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-363-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-294-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-198-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-287-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4752-356-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4756-89-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4760-385-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-342-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4884-270-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-99-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5024-188-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5072-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads