njrat | b80747f0bc219435e511b606fab7301eb9b9f0d45ae7058a61db448aafc9a0c1

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-09-2024 03:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dbe19a1130bccde071164cd19e631770N.exe
Size

337KB
MD5

dbe19a1130bccde071164cd19e631770
SHA1

d828ac5c60e5fcf4222fa6053082fe711fbfd465
SHA256

b80747f0bc219435e511b606fab7301eb9b9f0d45ae7058a61db448aafc9a0c1
SHA512

bdd8d705192c6bf0ab134cdf1358b8ee1496ca30e145acd89525b59df76a30d7fae07742c40b82f792c791836351121f5c7720d0b3a7d66319a62013f418a326
SSDEEP

3072:X2HNegccl0YgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:G4cl0Y1+fIyG5jZkCwi8r

Score

10^/10

njrat discovery persistence trojan

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 62 IoCs

pid	Process
4840	Qgcbgo32.exe
3832	Anmjcieo.exe
1084	Aqkgpedc.exe
3548	Ajckij32.exe
4856	Anogiicl.exe
672	Aqncedbp.exe
3108	Anadoi32.exe
712	Acnlgp32.exe
2540	Amgapeea.exe
4908	Acqimo32.exe
548	Afoeiklb.exe
4956	Anfmjhmd.exe
1292	Accfbokl.exe
2984	Bjmnoi32.exe
4876	Bmkjkd32.exe
4744	Bebblb32.exe
4684	Bfdodjhm.exe
4564	Bchomn32.exe
3716	Bnmcjg32.exe
1232	Beglgani.exe
4092	Bfhhoi32.exe
3976	Bmbplc32.exe
4600	Bclhhnca.exe
2644	Bjfaeh32.exe
3440	Belebq32.exe
60	Chjaol32.exe
1500	Cmgjgcgo.exe
2780	Cenahpha.exe
3484	Cdabcm32.exe
3948	Cfpnph32.exe
4828	Cjkjpgfi.exe
3216	Cmiflbel.exe
3708	Caebma32.exe
2416	Ceqnmpfo.exe
4980	Cdcoim32.exe
3452	Chokikeb.exe
2564	Cjmgfgdf.exe
3844	Cnicfe32.exe
4580	Cmlcbbcj.exe
1468	Ceckcp32.exe
5032	Cnkplejl.exe
2640	Cajlhqjp.exe
4900	Chcddk32.exe
2172	Cjbpaf32.exe
4808	Calhnpgn.exe
1588	Cegdnopg.exe
4692	Dfiafg32.exe
1484	Dopigd32.exe
1312	Danecp32.exe
3704	Ddmaok32.exe
4568	Djgjlelk.exe
452	Dmefhako.exe
3308	Delnin32.exe
1748	Ddonekbl.exe
1952	Dkifae32.exe
4480	Dodbbdbb.exe
4944	Deokon32.exe
3756	Dhmgki32.exe
4400	Daekdooc.exe
3824	Dddhpjof.exe
3476	Dgbdlf32.exe
756	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Anadoi32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Aqkgpedc.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cnkplejl.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	dbe19a1130bccde071164cd19e631770N.exe
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	dbe19a1130bccde071164cd19e631770N.exe
File created	C:\Windows\SysWOW64\Anmjcieo.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Pkmlea32.dll	Qgcbgo32.exe
File created	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Aqkgpedc.exe	Anmjcieo.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Accfbokl.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Anmjcieo.exe
File created	C:\Windows\SysWOW64\Ajckij32.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dkifae32.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	dbe19a1130bccde071164cd19e631770N.exe
File created	C:\Windows\SysWOW64\Anfmjhmd.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Bfhhoi32.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Maickled.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Cajlhqjp.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2748	756	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbe19a1130bccde071164cd19e631770N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Accfbokl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maickled.dll"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	dbe19a1130bccde071164cd19e631770N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Deokon32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laqpgflj.dll"	dbe19a1130bccde071164cd19e631770N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfhhoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Accfbokl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdheac32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnmfki.dll"	Anmjcieo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4840	4192	dbe19a1130bccde071164cd19e631770N.exe	83
PID 4192 wrote to memory of 4840	4192	dbe19a1130bccde071164cd19e631770N.exe	83
PID 4192 wrote to memory of 4840	4192	dbe19a1130bccde071164cd19e631770N.exe	83
PID 4840 wrote to memory of 3832	4840	Qgcbgo32.exe	84
PID 4840 wrote to memory of 3832	4840	Qgcbgo32.exe	84
PID 4840 wrote to memory of 3832	4840	Qgcbgo32.exe	84
PID 3832 wrote to memory of 1084	3832	Anmjcieo.exe	85
PID 3832 wrote to memory of 1084	3832	Anmjcieo.exe	85
PID 3832 wrote to memory of 1084	3832	Anmjcieo.exe	85
PID 1084 wrote to memory of 3548	1084	Aqkgpedc.exe	86
PID 1084 wrote to memory of 3548	1084	Aqkgpedc.exe	86
PID 1084 wrote to memory of 3548	1084	Aqkgpedc.exe	86
PID 3548 wrote to memory of 4856	3548	Ajckij32.exe	87
PID 3548 wrote to memory of 4856	3548	Ajckij32.exe	87
PID 3548 wrote to memory of 4856	3548	Ajckij32.exe	87
PID 4856 wrote to memory of 672	4856	Anogiicl.exe	88
PID 4856 wrote to memory of 672	4856	Anogiicl.exe	88
PID 4856 wrote to memory of 672	4856	Anogiicl.exe	88
PID 672 wrote to memory of 3108	672	Aqncedbp.exe	90
PID 672 wrote to memory of 3108	672	Aqncedbp.exe	90
PID 672 wrote to memory of 3108	672	Aqncedbp.exe	90
PID 3108 wrote to memory of 712	3108	Anadoi32.exe	91
PID 3108 wrote to memory of 712	3108	Anadoi32.exe	91
PID 3108 wrote to memory of 712	3108	Anadoi32.exe	91
PID 712 wrote to memory of 2540	712	Acnlgp32.exe	92
PID 712 wrote to memory of 2540	712	Acnlgp32.exe	92
PID 712 wrote to memory of 2540	712	Acnlgp32.exe	92
PID 2540 wrote to memory of 4908	2540	Amgapeea.exe	94
PID 2540 wrote to memory of 4908	2540	Amgapeea.exe	94
PID 2540 wrote to memory of 4908	2540	Amgapeea.exe	94
PID 4908 wrote to memory of 548	4908	Acqimo32.exe	95
PID 4908 wrote to memory of 548	4908	Acqimo32.exe	95
PID 4908 wrote to memory of 548	4908	Acqimo32.exe	95
PID 548 wrote to memory of 4956	548	Afoeiklb.exe	96
PID 548 wrote to memory of 4956	548	Afoeiklb.exe	96
PID 548 wrote to memory of 4956	548	Afoeiklb.exe	96
PID 4956 wrote to memory of 1292	4956	Anfmjhmd.exe	97
PID 4956 wrote to memory of 1292	4956	Anfmjhmd.exe	97
PID 4956 wrote to memory of 1292	4956	Anfmjhmd.exe	97
PID 1292 wrote to memory of 2984	1292	Accfbokl.exe	99
PID 1292 wrote to memory of 2984	1292	Accfbokl.exe	99
PID 1292 wrote to memory of 2984	1292	Accfbokl.exe	99
PID 2984 wrote to memory of 4876	2984	Bjmnoi32.exe	100
PID 2984 wrote to memory of 4876	2984	Bjmnoi32.exe	100
PID 2984 wrote to memory of 4876	2984	Bjmnoi32.exe	100
PID 4876 wrote to memory of 4744	4876	Bmkjkd32.exe	101
PID 4876 wrote to memory of 4744	4876	Bmkjkd32.exe	101
PID 4876 wrote to memory of 4744	4876	Bmkjkd32.exe	101
PID 4744 wrote to memory of 4684	4744	Bebblb32.exe	102
PID 4744 wrote to memory of 4684	4744	Bebblb32.exe	102
PID 4744 wrote to memory of 4684	4744	Bebblb32.exe	102
PID 4684 wrote to memory of 4564	4684	Bfdodjhm.exe	103
PID 4684 wrote to memory of 4564	4684	Bfdodjhm.exe	103
PID 4684 wrote to memory of 4564	4684	Bfdodjhm.exe	103
PID 4564 wrote to memory of 3716	4564	Bchomn32.exe	104
PID 4564 wrote to memory of 3716	4564	Bchomn32.exe	104
PID 4564 wrote to memory of 3716	4564	Bchomn32.exe	104
PID 3716 wrote to memory of 1232	3716	Bnmcjg32.exe	105
PID 3716 wrote to memory of 1232	3716	Bnmcjg32.exe	105
PID 3716 wrote to memory of 1232	3716	Bnmcjg32.exe	105
PID 1232 wrote to memory of 4092	1232	Beglgani.exe	106
PID 1232 wrote to memory of 4092	1232	Beglgani.exe	106
PID 1232 wrote to memory of 4092	1232	Beglgani.exe	106
PID 4092 wrote to memory of 3976	4092	Bfhhoi32.exe	107

C:\Users\Admin\AppData\Local\Temp\dbe19a1130bccde071164cd19e631770N.exe
"C:\Users\Admin\AppData\Local\Temp\dbe19a1130bccde071164cd19e631770N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\SysWOW64\Qgcbgo32.exe
  C:\Windows\system32\Qgcbgo32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\SysWOW64\Anmjcieo.exe
    C:\Windows\system32\Anmjcieo.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\SysWOW64\Aqkgpedc.exe
      C:\Windows\system32\Aqkgpedc.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3548
      - C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4908
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4876
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3976
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2644
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3440
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:60
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2780
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3484
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2416
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4980
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3452
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2564
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5032
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2640
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4692
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4568
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3756
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:756
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 400
        64⤵
        Program crash
        
        PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 756 -ip 756
1⤵
PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Accfbokl.exe

Filesize
337KB

MD5
9005089ad5ffe26a82ea57ea855b48b6

SHA1
bb97e09398e4b7f1409ead7efc26ceab684920eb

SHA256
1e1057754e58b2d4a70c9afed1905db53399910280adf163d07a6c567b1bb51b

SHA512
faf45b0eb4dcb2428c4418ed435adc0c184a00c7a2a2aa9a7b82b419f51f08e4c6c7a7e6cda41ff9c8dc3997b13f786f682376713b58201c07de747b784ae634

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
337KB

MD5
c92ca4affc0fe414acff965f96701e2d

SHA1
a34e62b11997f671b844af789dc3a3c7fe23ddc3

SHA256
9478d0d75f7331f7bb3f8da3641151c72479e434ddb2efa6ad97268d4bfd6f5a

SHA512
866403b0f814f4b0709242bbd40d2192b6a20b46163591f5d55678990a41f4f1055a6cbf3b699803d14971c2700e8125b3671332e23c7015b2b4ffcea4d2ce3c

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
337KB

MD5
641f7b8db2a2468fd864a786de0b89c8

SHA1
c15c9a09a7d27745b7ab1103852d115f72574b6f

SHA256
527e4a6ef1b31cf4f88c61da3549d1f52e83985b1c87040ddafcb5abccecd283

SHA512
b214ee0eb51f0d9cabde7c0ce18f2ea80bf14854069da39ca0c697eb11c773b03fb0fd683ce169d6593bfae99290e37ccc484b5b58b895ac65bf18b444c2ce9e

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
337KB

MD5
f0eb688ea610033664d1a1675a7d734e

SHA1
77850dbc2683e55db866aebded3e4d272d2d694d

SHA256
352ecf2e40087355c0f9a6cba1564a74d5438578282126c9b6d61976d7e695c0

SHA512
bbc53c8d89787a4e68fcdfda3e1d496ba41d47603d45853504d41ee8472d396caac3f865b9f00ead90759a3e15e627c8a9cb89cf4b4a6575bc556f4a6ef4a259

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
337KB

MD5
dea948c200540cbf0035a8fb9c757d1e

SHA1
77554cf8f80f7902c0f88433dd41167006239f1d

SHA256
bf6866a0d57bffc761b6109fb31bb08485c73aca7c36bf20bfff6a79c3d21edd

SHA512
9d1ca505101a910bf63bfada8cffeefb8efc267694e21eef96ae059b69aa3f1ba67461439adaa46b3b5db639c1fdb7f79650dcf5905220dce3c1af4bbbb8b440

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
337KB

MD5
73d5d338e748e55e078f85805f450b75

SHA1
f44f665a6033f62457047796f74f72759f34ba55

SHA256
4f59f831c68889a1c76c083903360c7304ca583b8f24f365c6ca545a3f440951

SHA512
af2dec8be5f79a80a7da5f17e93761e25541202d802b45feaccc354f4fb3e7bd84ebf4afca65900568b57c76b0f0879429409b2f85d1d5cbffa460f1f2daf943

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
337KB

MD5
ea0b8c5ad1da246d8aa3147cdd8b2ad7

SHA1
4e29937d4d33d6f65f01fd6d005e933789439fa9

SHA256
16d345778e7b3922593958070427faed3a28a0f7d38cc7e59b2c01d32ff4978f

SHA512
6a60b09b7ecf28d9a6bcffad6117afe51c008eb23cf81f9cff656cd5eef940b3d7cbd4618bf0cce9662fadbd845beb077387258585f5b464adf77cb420c8d6ee

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
337KB

MD5
ef79b1ad936548aa0f6ab46f8e9843b6

SHA1
1583c72b6b9955694ae843594cfba75de2e91575

SHA256
ffcb2990ea9f960c565d7d0970aab4a2a6ab6189c539bad55dc80fa8fe9a88de

SHA512
2a72f28844aa9e45aa892f532c98689f5b0c93632a2cf01afc392e479f936c2478dcf5a6e5bb1838c3930b8a131dd2a25648aea168dd838b10f0d5ddc72579ee

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
337KB

MD5
6cb4e9a518d71049662f0eabb413dbd5

SHA1
83c536e3c7ab506693de41e130e96b74ce6f1a28

SHA256
aa80d84e9208caa3b5d827bdb4015ad960717e1f79af212dac87be8c58f8d321

SHA512
719e943e689e2a4e9770a05a90d0b6b3a9b93eafc398970d191c482d675f4485f2b85f00338ff8153f5b3becb9ea511364642007684f9fbb8fa83c2bdf9fb93f

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
337KB

MD5
0368579f7c340a750c1b522c4747f4c9

SHA1
58210288b4c5fe7d09f7f52678f70110a4caefb9

SHA256
e9653eb3639229b0f8df44de9effc04962d7f172689d4558f29a45641f345927

SHA512
7b8508e5ed8aa31f88bcfb57752ecf3e293aa58bb50f687fe05de1a2bdf5e174340446422eb19dfab7b417793ba12702743c595e7fc7eb3822e161d0f48e9261

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
337KB

MD5
6d0a3011575e871a90ef35ab6743176e

SHA1
71cfdb83e561d4ac88115eebdfe518d32284bf3f

SHA256
901e3ce88b472dcd59fd18397fd23a134c3b52a26b23ad9aef60823abd2c9f03

SHA512
b187e78e57c54a37c664971528b475e58b823980313f72e5a08da0a809dc57088f8884a360115a1b1bfdb7f54b977107523315ebb450e743b4eb6a6860b5f1c7

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
337KB

MD5
f748eff31e3b1da0cf659fb0068c770f

SHA1
b22f05a361e1bf283cc23c28ab6ba5e195024c15

SHA256
5dd9a8368ad00cbd4420eaa2660c4208b4fe2da1c838cba6a7aa0ce163028262

SHA512
0a85987b71a7ce34cd33db7b0447ae45d18224a774f6cc4aea2970d4372d892c7f7983fcf3d2913c9ab7bd6f727f8e52696166f5be5d343607cd50fdc31176e2

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
337KB

MD5
0cd936889ac3710e86d0698b2d7916a0

SHA1
2d3ecb838fa7a94bb73024d5522dde61b5e587b3

SHA256
ba999a78676413b996b51b7f5f2b69b18428dad5a7dbd281740665786665f9ae

SHA512
bf95a49b590b1b9625956ff757d0c36eb7440b6cd9b3e40abcf4e017604a8bc2f67dd60a60df978dedaa045ca118cd49b88b4a8e0ec10b8c28f91c2389f18b8f

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
337KB

MD5
a90dcb0ec82afef95bd1dc1e217e5f5c

SHA1
3c1e923ba931fcbf5d84cc425fb093ad7f450d62

SHA256
979859adcd26a4a15697c2c04c82a0bd5be5d8efe8778eeea374ead1e53abbec

SHA512
7bdbabb51834ecc2c363cc7256019ecbd786ed3c4f5aee7ba5a88526a52f2db3f556742fb397093994621209918c37e762dd968b48c66028a6ae42c5468c5c74

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
337KB

MD5
068cbb23d52bc2197059236d61916e18

SHA1
49695172782b10fa19f0c552615a4a1edbb3d0f8

SHA256
b8ab3e4a43636c568391581e59af40c49a2857479edc8a6f3b28a71cce21d780

SHA512
67d92c4c5b4723f967f9fae28300a85c8a30140af9f76179cc1c9913b7bbae4a1edc748a1e4556f20c395ab658134b0c12d25861d512449b569ef3d2230f8f22

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
337KB

MD5
352018dee783b95594e0a1195a4800e9

SHA1
6279a58abcd71943a8634545a5833017a3f03aff

SHA256
e7d66bf0ef80b3bd0ea0635bfa83466e3de4db0a968deed63ccaea00f7a70aa5

SHA512
40525d5ef20dbfa2bd125433dd5ecf909cf8b011915f913ef1320c164a44c3653319ebf4c9f9da428b1d98c69c5d958d61a446f58b59310860d66dd22b212dde

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
337KB

MD5
6fbe7cd75efaa4678af46857735c578d

SHA1
e599d354d590e2bffb0fa2104bf521f5cd394190

SHA256
5af5ca3a66bfddaff6e47d62e6e97cf0fb776beb30537a31dbaa973d80ff418f

SHA512
bf399aed07a60af61089544962ea6b22a5800998579523ed2bc0936a156804a6c78dc0a06822ad5dd55275d0346bfab1155bbc750506021826381d1d8bc4ccbe

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
337KB

MD5
8311e6caa4e5c97c7fed83368850fb46

SHA1
dcd6cfc591a064eb71a5280b51d9d31ab488b16d

SHA256
c60e19ea937f43268299883fe49a46d04ff27e7183fe2b90a994a1173cf35463

SHA512
ee10a76c1613527c88825b6b814da0476e73b174424cc239708d654584559f1f12ed95580b8fd88265d9d64658f4001f48bc60f0034ac77a49c224e6dd30a477

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
337KB

MD5
78692e58e72140f1d58652fc14a2233c

SHA1
9f4ad99e4478946b81cce30d591bb05466d20a8c

SHA256
9bbb89fd8105ba22b76a4793b2369c75fcf8d05b55cf7c81a8e89387f3e5069e

SHA512
2cee4641c67e53b3711ce5757743015b15ab15b5a5b330443f9b76cfe62df3e5915cea447c252bcfc8746c3f5a21cbf1893f6922bf460821c42e3f27da5185c6

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
337KB

MD5
fe1b856e2af4041066600f9e51838e92

SHA1
bdd249a4b4ef0b071f61bd61d80033d34f000aeb

SHA256
c7c8fb5d3d0d56d0e9c3be52adf8a1ed3aa5dbc05a91fadb19484bf65420a0a9

SHA512
2c67735d9bf5b5073c7d7cfdb55396ed77e70f6f7f1f0c8631a685bf966cb900628f28dc1c9ff862d675d6f5911c8879171cc80aff9894ea867b5a14e8c5d785

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
337KB

MD5
d6c5f105bb675244b28668c1fd3f9dc9

SHA1
20f676cf0980737ec8625e4c62a6eb7606ac132d

SHA256
bc48cd38630d52d1b4d23b834a974a0f95910edd74bb6bbabcdb238847b5794d

SHA512
6dd7faea877c8ef3481feaa02756bc446168bbfddf10e832d31a299aa98446be157605e342930698957ed05ee601e8689c2a880d08607c49e7d0e4ac2214343e

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
337KB

MD5
0190864d04b5816e56eac255e02e8a7c

SHA1
fa541489ce32b88807ec5fbfe20d75d1c8730f2a

SHA256
32e20a28e24681c466b39ad08e290a479e090d76c97dba268e490811d93b39e0

SHA512
daa902ddc74ff42c595f92293b1e3c450eb2f1de21e3fef40edeee2cb4413947b825a7595c988ada1a4b2d4d2f34986c51e729dbb3fd8613980996cd8c05b360

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
337KB

MD5
0c5b2a9a567d91a20bddf2af2d6a76fe

SHA1
6463e7f1f2ec4cb52b61cb6fec92c635ae1cdf64

SHA256
670ee34031268de74063150f0e9fccc0d6f377b509535ff74cbdb0bfa83a352e

SHA512
39b41b5e2195077c48fe96c08119bfca2838af7aa7d3621aebdba1b0f6544e2e6edf6c0d497ddfcfad7ee1f8bb1fc8fa0496b191b9566beb78dad78ae27a28c7

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
337KB

MD5
1ec53c9ca1cb6e9f248664fcf5385985

SHA1
596be202e2ce2bd8f8ef9d494272f5a7b9e761cb

SHA256
e47c9668e31cd921978aab67eda309097daae0dea779f6b68855416eccd806d4

SHA512
e3f9b090faa997b7d7a4b73dd057dc6786d860e55da20af0aa0a3bf99585b47f704b588d2c7ea7d402d1ab2b4bcfad7eea7145e7a928057cd3a9bb7acbc2872f

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
337KB

MD5
37fdd966a7218db50560bbfd72b185a3

SHA1
163420ab275a2a2e72705e1e30c74565f871c9de

SHA256
6821e15f53da7ed3fe081ab2c82dc9b49fa453e12f4b9db53f660cb29c26f477

SHA512
24a27932dd576bb47d4af36ef634f65307b6090ff24f11e9252bdf2dfa47e8f689448aa404ae117fd823dfad32bc465f83f513719cee6e324c1818c1fa45746c

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
337KB

MD5
983a537343aee6f64669bc127d7294f6

SHA1
2e6b5950e13317de84df89c8664c8dd1acae0e11

SHA256
b764ea29a42ee0ae5da8320caa70e67af7797ad49bc85228f3f613ae500e7b5b

SHA512
03c3c9e53829f238623dce2cb2a76eb6452b650ebae9fe2bf2f0f94ac96625277646aa1145df3db2eb35c87590f63f6b9bf8bb1f4797b9c1314469d346e977fd

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
337KB

MD5
fe4ac678e44ee0b9ac62b6c973cbaa1e

SHA1
d21b1039b3dd80e46904e0a1662b66acf22cc2f8

SHA256
1ac849ec4c26bd15945800a93f1b3f5d4ec739aa00da27e6f42b4b4b1cec6409

SHA512
25922397f263cca94b22aed0848417334f8b34ccd6058a362a2f40b7207bc0a84deb14e90ff9a5fbc42f07a79b37d3dd065e5dc1b8cd306ce8f44762db999cbf

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
337KB

MD5
9f55e15b7aed9878cd73b2f73203c8e2

SHA1
72d20ceb693aff86d756a0b0deb7235a1bb24bbc

SHA256
2f44d21edd0a39ec9b1b66c03c36210818cee6f9fa05d08563bbb80aa1620596

SHA512
5a6aba5aca0cef16b0ebc04cf460fd5528cfb4dc8f6e154fbe49b10c255cb698b6c7ea36888d444f0d8762c4e0973ce1b8a2ded8b974e36f2ea77a9915bf1677

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
337KB

MD5
8841c583ae45890e2291aded7c146295

SHA1
e626a38b4af6013ee2f78717099af386ac744321

SHA256
bfcb9129dff1abee93c190e9181d4847bf9b2522831fb5693b44a2201e3fe2d8

SHA512
c5f9965553353cfca8b51d41d1ec1403e6ec0ffb8199bf04ad9ee9f604c97ebd3f5b44542cb13200a445c4b1953c74f42ec2bf5fb14ba6ed1bbc7e537bfd7aa4

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
337KB

MD5
28f5842321da846b135bcdcd1dbfc95f

SHA1
0a2a5f363363b7a7918e3f24bcd4e3c85565550d

SHA256
c60e46ca6c51c967d850a8131d380627b9da6755a033a360f5ee83a65a3f481b

SHA512
6027af47289347292b6e530a51b2ff282c97e175be0ce7954a408afd4be3a75f69b15e85c33e44809328ec139fe27c3da0795319fa80e5ec376c003ca5607fc2

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
337KB

MD5
6b214dc4b72b0aae18dfef76bed45f96

SHA1
da4fb713af6e0a3208f07cffa6711803aa3725b0

SHA256
73dac19b8eb33d26e4d5f107b6e25c7537dd7851a1e4e2cd8c6215fe4922d7ab

SHA512
749537f2a5276e8be3c59aae8e4b2e4832657c74cf4f7c867e2ec6a6282bd2c57c27647cfda4f05e2f7c619a23499845e38bad36860161dde50fd8a420ae826d

Download Submit
C:\Windows\SysWOW64\Djgjlelk.exe

Filesize
337KB

MD5
88c6446648bfbdd6fa10ca885cc349ae

SHA1
e5a192f193580432bb1d45175a4fac6a3b526e88

SHA256
d46fab1458d2f5273cd96a5393455fa0df08b3831ae4c5ebfb9f2a7d7baf7173

SHA512
901db47b0f030007c9055f024d71c203e8c6408a1758fddfc01f4da0d62b174bf723c7e8ac5f50140b983205722c2c3c9447b9597da5165887302ab70eb0d0b3

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
337KB

MD5
666b3729c1e9aa32afde7244424909e2

SHA1
15b865001c7e0ce07afa3daa28842212a87ae72a

SHA256
d7aa5de96ccf8a27c07420c706210ddd1829178dca78971189afc6def973cf81

SHA512
08ecc87dc546f8b503cf8b22dd5ece8db1c570b0d3b880f2d4e56095bad8641b9eccfe65e0e92929b0090ef439151558786e54613d49e0230b83c21570b115cf

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
337KB

MD5
c7490334ff29355396f34025faf5a13b

SHA1
48ecaac1eb189b244a1f1371c471dfb94ca2f783

SHA256
a5b8643ce263a50a928234f4a50a264fca0074b85d5af4df36ed48edad43027d

SHA512
037f97e576dd56b201c56920898941a70b1162d8ef9a07bdcb3fb5bbc56da52294d12d8486c9d53911e16d68c7d53f99434c53c2ed5399ce0194a14db99ad04a

Download Submit
memory/60-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/60-209-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/452-459-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/548-88-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/672-49-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/712-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/756-437-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1084-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1232-511-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1292-110-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1312-359-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-305-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1468-482-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-353-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1484-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-216-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-341-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1588-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1748-455-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-395-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1952-453-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2172-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2416-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2540-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2564-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2640-317-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2644-192-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2780-230-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2984-112-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3108-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3216-261-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-383-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3308-457-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3440-200-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3452-285-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-441-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-431-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3484-238-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3548-32-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3704-365-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3708-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-513-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3716-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3756-447-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3824-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3832-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3844-297-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3948-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-507-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3976-176-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-509-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4092-168-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4192-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4192-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4400-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-451-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-401-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-461-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4568-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4580-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-505-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-184-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4692-347-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4744-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-335-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4808-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-254-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4840-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4856-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4876-125-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4900-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4908-80-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-449-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-407-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-96-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4980-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5032-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads