cdc8ee21d93ae0fe76d2c612f5454f481da05d8c156f22f57399d243bd441cbc

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-09-2024 02:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ff9c487e5fe35eeda761b644bdea5f0N.exe
Size

79KB
MD5

3ff9c487e5fe35eeda761b644bdea5f0
SHA1

c7417a858d0a33e6291d758b17142ffb8a4f7124
SHA256

cdc8ee21d93ae0fe76d2c612f5454f481da05d8c156f22f57399d243bd441cbc
SHA512

77a58ecb7a775ae223ff4174f02e67e9c3de93fd7f82d9c05141a1f05af4d96813aa83995e725b2a370175813c55c5a6867705f44c8a26f8fd86b640b3fec913
SSDEEP

1536:lOObDEDa7DlJzQ6iUEAiFkSIgiItKq9v6Ds:lPvh7DDzQ6iUEAixtBtKq9vn

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqkgpedc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chagok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe

Executes dropped EXE 63 IoCs

pid	Process
3012	Qddfkd32.exe
3436	Qffbbldm.exe
3216	Aqkgpedc.exe
4800	Acjclpcf.exe
2524	Afhohlbj.exe
3048	Aqncedbp.exe
628	Afjlnk32.exe
1724	Anadoi32.exe
3152	Aqppkd32.exe
4092	Agjhgngj.exe
468	Ajhddjfn.exe
1656	Amgapeea.exe
4104	Acqimo32.exe
3944	Anfmjhmd.exe
4196	Aepefb32.exe
4152	Bfabnjjp.exe
1532	Bmkjkd32.exe
4752	Bebblb32.exe
3204	Bjokdipf.exe
3168	Beeoaapl.exe
2268	Bffkij32.exe
3504	Bnmcjg32.exe
4576	Beglgani.exe
4296	Bgehcmmm.exe
4604	Bnpppgdj.exe
1076	Banllbdn.exe
3732	Bnbmefbg.exe
3948	Belebq32.exe
1708	Chjaol32.exe
3032	Cndikf32.exe
3848	Cmgjgcgo.exe
540	Cdabcm32.exe
640	Cjkjpgfi.exe
2956	Caebma32.exe
5012	Ceqnmpfo.exe
1940	Cdcoim32.exe
4220	Chokikeb.exe
2132	Cfbkeh32.exe
2028	Cnicfe32.exe
5048	Ceckcp32.exe
5112	Chagok32.exe
1648	Cfdhkhjj.exe
548	Cmnpgb32.exe
3560	Ceehho32.exe
116	Chcddk32.exe
4480	Cjbpaf32.exe
1108	Cmqmma32.exe
2040	Cegdnopg.exe
5064	Dfiafg32.exe
4676	Dopigd32.exe
892	Dmcibama.exe
4496	Ddmaok32.exe
4612	Dfknkg32.exe
4112	Delnin32.exe
3224	Dfnjafap.exe
1824	Dodbbdbb.exe
1060	Daconoae.exe
4440	Dfpgffpm.exe
4848	Dogogcpo.exe
4608	Daekdooc.exe
1808	Dddhpjof.exe
4908	Dgbdlf32.exe
1924	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Qddfkd32.exe	3ff9c487e5fe35eeda761b644bdea5f0N.exe
File created	C:\Windows\SysWOW64\Ehfnmfki.dll	Qffbbldm.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qddfkd32.exe
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Ceehho32.exe
File created	C:\Windows\SysWOW64\Hjfgfh32.dll	3ff9c487e5fe35eeda761b644bdea5f0N.exe
File created	C:\Windows\SysWOW64\Aqncedbp.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Kmdjdl32.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Acjclpcf.exe	Aqkgpedc.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Daconoae.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bebblb32.exe
File created	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bffkij32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Afjlnk32.exe	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Bfabnjjp.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Dmcibama.exe
File created	C:\Windows\SysWOW64\Afhohlbj.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dgbdlf32.exe	Dddhpjof.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
840	1924	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3ff9c487e5fe35eeda761b644bdea5f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqkgpedc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qddfkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogflbdn.dll"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfghpl32.dll"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmoom32.dll"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkejdahi.dll"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhicommo.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	3ff9c487e5fe35eeda761b644bdea5f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqkgpedc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Afjlnk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifnachf.dll"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfgfh32.dll"	3ff9c487e5fe35eeda761b644bdea5f0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggmg32.dll"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cndikf32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4360 wrote to memory of 3012	4360	3ff9c487e5fe35eeda761b644bdea5f0N.exe	83
PID 4360 wrote to memory of 3012	4360	3ff9c487e5fe35eeda761b644bdea5f0N.exe	83
PID 4360 wrote to memory of 3012	4360	3ff9c487e5fe35eeda761b644bdea5f0N.exe	83
PID 3012 wrote to memory of 3436	3012	Qddfkd32.exe	84
PID 3012 wrote to memory of 3436	3012	Qddfkd32.exe	84
PID 3012 wrote to memory of 3436	3012	Qddfkd32.exe	84
PID 3436 wrote to memory of 3216	3436	Qffbbldm.exe	85
PID 3436 wrote to memory of 3216	3436	Qffbbldm.exe	85
PID 3436 wrote to memory of 3216	3436	Qffbbldm.exe	85
PID 3216 wrote to memory of 4800	3216	Aqkgpedc.exe	86
PID 3216 wrote to memory of 4800	3216	Aqkgpedc.exe	86
PID 3216 wrote to memory of 4800	3216	Aqkgpedc.exe	86
PID 4800 wrote to memory of 2524	4800	Acjclpcf.exe	87
PID 4800 wrote to memory of 2524	4800	Acjclpcf.exe	87
PID 4800 wrote to memory of 2524	4800	Acjclpcf.exe	87
PID 2524 wrote to memory of 3048	2524	Afhohlbj.exe	88
PID 2524 wrote to memory of 3048	2524	Afhohlbj.exe	88
PID 2524 wrote to memory of 3048	2524	Afhohlbj.exe	88
PID 3048 wrote to memory of 628	3048	Aqncedbp.exe	89
PID 3048 wrote to memory of 628	3048	Aqncedbp.exe	89
PID 3048 wrote to memory of 628	3048	Aqncedbp.exe	89
PID 628 wrote to memory of 1724	628	Afjlnk32.exe	90
PID 628 wrote to memory of 1724	628	Afjlnk32.exe	90
PID 628 wrote to memory of 1724	628	Afjlnk32.exe	90
PID 1724 wrote to memory of 3152	1724	Anadoi32.exe	92
PID 1724 wrote to memory of 3152	1724	Anadoi32.exe	92
PID 1724 wrote to memory of 3152	1724	Anadoi32.exe	92
PID 3152 wrote to memory of 4092	3152	Aqppkd32.exe	93
PID 3152 wrote to memory of 4092	3152	Aqppkd32.exe	93
PID 3152 wrote to memory of 4092	3152	Aqppkd32.exe	93
PID 4092 wrote to memory of 468	4092	Agjhgngj.exe	94
PID 4092 wrote to memory of 468	4092	Agjhgngj.exe	94
PID 4092 wrote to memory of 468	4092	Agjhgngj.exe	94
PID 468 wrote to memory of 1656	468	Ajhddjfn.exe	95
PID 468 wrote to memory of 1656	468	Ajhddjfn.exe	95
PID 468 wrote to memory of 1656	468	Ajhddjfn.exe	95
PID 1656 wrote to memory of 4104	1656	Amgapeea.exe	96
PID 1656 wrote to memory of 4104	1656	Amgapeea.exe	96
PID 1656 wrote to memory of 4104	1656	Amgapeea.exe	96
PID 4104 wrote to memory of 3944	4104	Acqimo32.exe	97
PID 4104 wrote to memory of 3944	4104	Acqimo32.exe	97
PID 4104 wrote to memory of 3944	4104	Acqimo32.exe	97
PID 3944 wrote to memory of 4196	3944	Anfmjhmd.exe	99
PID 3944 wrote to memory of 4196	3944	Anfmjhmd.exe	99
PID 3944 wrote to memory of 4196	3944	Anfmjhmd.exe	99
PID 4196 wrote to memory of 4152	4196	Aepefb32.exe	100
PID 4196 wrote to memory of 4152	4196	Aepefb32.exe	100
PID 4196 wrote to memory of 4152	4196	Aepefb32.exe	100
PID 4152 wrote to memory of 1532	4152	Bfabnjjp.exe	101
PID 4152 wrote to memory of 1532	4152	Bfabnjjp.exe	101
PID 4152 wrote to memory of 1532	4152	Bfabnjjp.exe	101
PID 1532 wrote to memory of 4752	1532	Bmkjkd32.exe	102
PID 1532 wrote to memory of 4752	1532	Bmkjkd32.exe	102
PID 1532 wrote to memory of 4752	1532	Bmkjkd32.exe	102
PID 4752 wrote to memory of 3204	4752	Bebblb32.exe	103
PID 4752 wrote to memory of 3204	4752	Bebblb32.exe	103
PID 4752 wrote to memory of 3204	4752	Bebblb32.exe	103
PID 3204 wrote to memory of 3168	3204	Bjokdipf.exe	105
PID 3204 wrote to memory of 3168	3204	Bjokdipf.exe	105
PID 3204 wrote to memory of 3168	3204	Bjokdipf.exe	105
PID 3168 wrote to memory of 2268	3168	Beeoaapl.exe	106
PID 3168 wrote to memory of 2268	3168	Beeoaapl.exe	106
PID 3168 wrote to memory of 2268	3168	Beeoaapl.exe	106
PID 2268 wrote to memory of 3504	2268	Bffkij32.exe	107

C:\Users\Admin\AppData\Local\Temp\3ff9c487e5fe35eeda761b644bdea5f0N.exe
"C:\Users\Admin\AppData\Local\Temp\3ff9c487e5fe35eeda761b644bdea5f0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4360
- C:\Windows\SysWOW64\Qddfkd32.exe
  C:\Windows\system32\Qddfkd32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\Qffbbldm.exe
    C:\Windows\system32\Qffbbldm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3436
  - - C:\Windows\SysWOW64\Aqkgpedc.exe
      C:\Windows\system32\Aqkgpedc.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3216
    - - C:\Windows\SysWOW64\Acjclpcf.exe
        
        C:\Windows\system32\Acjclpcf.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4800
      - C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3944
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4152
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3204
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        25⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4296
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3732
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1708
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:640
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2956
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2132
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2028
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4112
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3224
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1824
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4848
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4608
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4908
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 212
        66⤵
        Program crash
        
        PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1924 -ip 1924
1⤵
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
79KB

MD5
fab19ab932c499037efa229fe04a3243

SHA1
12e323b3174276dc361655b43a53834772d76c5a

SHA256
c93a82f4fa5bd58d2b36151e962b6dae4b95817dcd10fcbdb4b8a0b4a00d95cf

SHA512
c58a75fe8bb6a340cea2494baf80d786be30b9f4ec57768ede1e1219a3a7cc11faf9ae1e87e7726a17b532dd2c2dba17082a94e27cfe0b1870cd6b8dbdb7cb02

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
79KB

MD5
9da9403d3b599d8a8e168c472725d602

SHA1
51c01246ea9b73a73a305a39ee9336233303a11a

SHA256
f4d6ed0117157334c30508bfed7395923ba3574ae41bb3fca508e3a54ff45abd

SHA512
143fff60063335696d5561b19f226dd38c5fb6a6ba55ed87e59bd4392cfde076f8e03ffd3f680322eb3e42006e635957e4ab37105f6638dc183b656f9168bd73

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
79KB

MD5
51ecfd4d535d3e6b585465b1127089ef

SHA1
0f6b1118d3c875eeabcb0faa6d11f8fcf1126220

SHA256
4c2d332d31997409958b515e77346e2c5ecf8480243137ccf59ff5c83c7c15a3

SHA512
b533aa017b8c2c724d498c79ba698ee24b34f6415ef20549a3d32185ea70ead90606de54680890f1061d44993471b6799e74d58533a727e711fe68177da5b88f

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
79KB

MD5
4f5b71d6e88c76b983bb02538c7938a5

SHA1
df70b7da857600474a8d0a7a65242196de2e63fe

SHA256
3a01ba825b75bc612001d9595a896dd61fc11898a0e078aba8648b2f630413ff

SHA512
7e4c99855f1aaf9eb68415abb924d7c68d58ed7a33ba92db912f85301616cf47f1ccf6bc94650cf8446475e10b22a5970a36d8a4c6b807b70aef2e27e32f1f2d

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
79KB

MD5
4b4e2ef77fca23b8c27fa32f8b7fd030

SHA1
bf206d889c3710ecd965244cb24991935e0fb8d0

SHA256
194da70d7e5c485cc063e995076c7693d38c5de649977e6fcd60a2280087befb

SHA512
797e270f52128e6d4e7190bdac98d5e6d7bf8bdd1fb9f1ec093717d550bc1f7db5a48c2a6be1569b85cd61b133ff908547982e3deb1441ba4fbefec978870d55

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
79KB

MD5
1d185a82a4e37f4308143d594cdf6034

SHA1
d862e3c87b75104a93b3380d6f1244685f67282a

SHA256
4d6765ac477444e41d6797bc5a8ecbe15d3a04f11b8531627a3db41e476cb902

SHA512
4bf7023d5be02e73f872965bad405f8e02f43f52cb999dcf9715dade2f0e650c38171d6a54e8a869cdac5e560d19066713bdfc9f25b8519f97e8e579120be2f5

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
79KB

MD5
5ed21d847a60717c6e2d37112ac5c719

SHA1
18a9240692bea3507f36ee08b781232ea082d128

SHA256
be9cd4b9e326b27db64c5615188fe80fd35ffd079916ff40a0eab110f60e45f2

SHA512
40c7ecb738f6ff1e02f42c0184fe8373d43bf6b64017bcc9c1e2ec59426d4a3ea8b656734a69dec0209aaa6a6a2868d8b45c2313f90d43948b672c3a4637d216

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
79KB

MD5
3aa80acdbc874593f0954940ff8d6cb6

SHA1
2a6c7081d7ea14cd77b89e4a2c984be0a28a9301

SHA256
8186f1a833bc21880eed26f6c5f860a8b283a14249a72eae8d4d9cbdf7136ae7

SHA512
2f3101b0dc72d402416d74288d97c69cec2be31f991ff87fc7b9309ce0fe0ccfb846beb7ffa9e628b6315018b6742e67b61f3883327869268fd0acb4db2e3c3e

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
79KB

MD5
25186a6525c05105d096f432ccce7967

SHA1
b2ac3ca3977630112d93a978e3108ee9ea2af74e

SHA256
f6701d14f1e5ecbfce117ae8570f65a2d192e2cd93939727dee55628f784c0b9

SHA512
66a0126970da33953cd75a8733a318d919e1e97980365146b4138d5ecb18b7f4b5706e630667508ca5cec4fda596b79bb570882fdca295e0493bbe1ed8d7d346

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
79KB

MD5
815a5e823e94b1a0d0d14eac2575fc58

SHA1
5dd7b2a8dc13029d9a978f2e29e744af2bf6c422

SHA256
f08eaa65a66f06d3c4d84065c5530d3584d81548f85f5444661cc15d3fd18d5b

SHA512
8f8b589d3008a7530178e6ef305abef0470f9dcfb406790214a1d3a55f228970d228601a6361168e6c508335958af1968c451b5d7543711ae92846b1a4002be2

Download Submit
C:\Windows\SysWOW64\Aqkgpedc.exe

Filesize
79KB

MD5
f5e1c63809eaa8d4cefa7e8748d92de0

SHA1
bd20e6899cf1429ed6bdb65e546a96434f31f8dd

SHA256
c58fc82bc027e401d42929104175c2c0f62b39155d59b46413655e822cd59c53

SHA512
ca3335311a6ede4d4fe3c6287b97b01bd1cf403bf7b420dc9dc5f1e8a78b8f950274bb90a4fd74bd1bba0d093a4dd93aec8f2d05d20f9aea94724504546d2354

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
79KB

MD5
b673cebb530bb8dc7a9b27479c93af3f

SHA1
c167976a1434235ce4b3bf12b9c57171b16418e5

SHA256
673ec41f5a889adb87d690db31eec07efe02611312caa46ea14784540c8e11dc

SHA512
bdc61278ba4d2de207f7143799e940f93c3887ce8f09b84bdf003ef4c46d2c374a5a1776ac59605955f6b8811f02f24bcea5bf7c09f2177258d293f62e0d96d8

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
79KB

MD5
bbd93118784bbed44590d4aeab787f2f

SHA1
73c0daa2a86a445c48b10780becc46645bbbd2a4

SHA256
470d76c3c492440521b755e37ea3f771a3446264972bf0ca746a868d9e70692a

SHA512
f05475ba7b0a46ab737dce86eb884d25e0369ecc5d5cb0150e4ea04aa0b7524eca5193d16dd6abcb5e458cc370206acefc8e2a33b93fd652ba3ff392d629aaec

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
79KB

MD5
c60076497991e950d75c64c37333acd3

SHA1
0a9eda5cdf50388b59a1856e57401fd8240883db

SHA256
07cd63847d172439b8e85a2b804c611c3dfcc67a6f578a68f0a87edb24be6d8c

SHA512
c0daea79bfb2f007bee73f3f0b23d4de7e4b0c6045efe821c7eebf579a1e4f69050f3cd76491905818b0ce05fb5ddc9ae111e71517502449bd78ca1ff88ab0fb

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
79KB

MD5
db2efa86b1db8d6c2739a3d5a5a8c82d

SHA1
aba724b8b05a4929de6178140ad03d8093d7eaf3

SHA256
0e525ed98b2362598d7facfa834cb29fbdb992db444191a8cbdb63b8f94c51fc

SHA512
28078b19180cda927f94d1e611ceeda048b60485b8f85aeabe67d320b692ba83fe7adf260ccf1e2d16f097f6584cbf4e18c5b6c26faf59b4898805a39bd3c904

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
79KB

MD5
8f5d8bfe9ce4056c09a1537b93cef772

SHA1
6484a52a455c3a24a1d76046974fd316439957d2

SHA256
bffc1d0bbd3be1c52fb2dc984e55761d248968244429a56f1c4765afae948a37

SHA512
d104a550bc630c952739a83b923aa18d9d815b8b653bf6d6c8cbc1c471aff3bea5f857ca129885d4ca83b0a83f4b477a1028a770f124bdb3f486f7f1e3d8fbf8

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
79KB

MD5
86d1551af15c3cab91f2fe37e7f9d412

SHA1
82576a5af059fbd01e5f6a0d4689ad971441e0bf

SHA256
007f3edeaeb9efc686a45f5c219a2a167e991713f2fb1935a98db3ee22016fb4

SHA512
fb304be2f447eda1b9d17fa5bee990f8ab25f55bbb8a076c3495d15b8a2451112db6476825dbf98423f72c3470f63f67e19178019fe523a4cddf9d520cb1004a

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
79KB

MD5
a5b0395e1edbe6784041e89ea905b0a4

SHA1
2fc582f87109159af17a712b5c5d926ddcdd7054

SHA256
6ce5c1f8b84ce44202a7634ecc38483cd74c22c277558cee22b8bebfae838063

SHA512
04237ae1481aa955e96dc3073eb6b3738972d153c41d3179d3e0c7add14b9c760cab36648bfcec6f5c3dc016fad5b126730f3de0df14eab74e63024de9f18ce7

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
79KB

MD5
28853e618ab5b6b5fd3c9bab7c7283ab

SHA1
81f1c4eba81f4d9ac8b383d736440bd721be87e4

SHA256
d23cddb8f74936084586acca788fe8d2a4f52728e4cc8c6c7c54afbd87c9035b

SHA512
8e7ee8b721bbc83ab50b178ea473991c18f43df78efd10ff45f9b73ff62dbd752037236054b81a9dab4b7499791bbdc23bc99abb2f35142c880f8121788aeecb

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
79KB

MD5
292dcda4be2d8c665338ca8b68e5d3b7

SHA1
7178acd8ca48968a4e755a5a451ed922f1d58542

SHA256
639eadbe261931ef841c1ebe812c3666493afb745fd0801cfd45ec801d509ec7

SHA512
f9cda0616c9560e2d7cfa6d25da4406cae6fce9b4726f4e931a3ae3a896032897b38a28e6d6c9e5d598e5a2d8137be57fb951101dc86392ff2a1f13c3ff28641

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
79KB

MD5
b8062a81fd7aab2c2b5197540eba1f42

SHA1
80cd25d11fc9bd7e66777f684af4d9a8179835bd

SHA256
fe66a2250a51b273f900de78efc53361151f24f37a9399cf48bea2e8b6534ac7

SHA512
f9617a8fc749e8007b17daf35d70a6ae43c37a83e1db0c3ab22f1ae67656813003de103d1467762faded2cdac7844616a355a58d332b043e833fdcf1fdbf2f51

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
79KB

MD5
dd3f0ddfbae541c6ce8af38a23bd3115

SHA1
f3ccd7ff8b07803be1629c8211ce7941bddd1b75

SHA256
9449c0d0ed0c14ed38952299ed2ef0a23f42decd960e9634d58db956276a6b7b

SHA512
d01fa46ed54db9539254db0535aa9816f139c1fe293d9429a552c977292fabcb796fc55c028d465e0b44778083e5e612e8a22d0ac53c9dd764ff7b38ed53ab69

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
79KB

MD5
f4c2a75a1dda6e70ec09967a59a4775c

SHA1
82547333f1889865f49492b460105bac08e95962

SHA256
77989b07f49013ea2059f2494be26abe8a35252dea12421ff14aa5e10abc1679

SHA512
6a94aa9a3697da0b39cda1d5817af8d55af74da08a5bc3f25e721c4acfc43a2619eba9a649bc37d11fd53318c42511c3b8777cda98d5fcaf82e8ede201b6098a

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
79KB

MD5
e292aba80ebbc8ccc2ce9473a4204597

SHA1
e025385561780cf17396498fe4a003153702be86

SHA256
fabd84a4f568398a82170592af20b6145d03156819cf494da75f2e35e7adec1d

SHA512
d67440f4e4d89035b8094762bf1935b148759cd06148ce96025699c8be40728e00ce10f1a149476073e0afe8c9bcac379a461893cb455e36697b391244dd88bb

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
79KB

MD5
8c013b5f4fa371b92ed3997b9ffc11c9

SHA1
08dc9152f8f341e78d3a26b5ce6027fa15b5201e

SHA256
50d34e64851101ea9a121c48baae42882411d59e6f959221cf2e2b8db77b88a3

SHA512
ef10abded8b33e00c49226af5c5b830503d8030f10b28dacb574d0bc6f93305184ef8abe0070465010565f2d8a5df7fd16204bde1980ff8a9e748253d10c9372

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
79KB

MD5
342e17ff38b25a72dc210107a98c3b0a

SHA1
117f2fa3155951107f5a47d77ebc932c498d1ee2

SHA256
bea628e45298284d57ba84f59430b4c87223332e494809f79bdfcad01ecf32c2

SHA512
a37430db097ca6e9502c33b8b5510ac5e7296ad80b3155ff6fd942bb7f35fde71d47b51bd78ac65352e6d7570425e163bb3bc685eea44b9c648bff6ddc86f975

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
79KB

MD5
701d857c0dae2994752ebbbcd550263a

SHA1
fbfb79bf29d1a6a687847480493a5ed8561e4f0a

SHA256
9cdbf8ef2d667dc4199428d277d1d4a1751fa8e980e6ad14a9cc0d7aa0821fdd

SHA512
0b4609d97ad60e751c05c9068febedabbfdf04eb9ff898677d0179b3cdf9cf5413c4fd64cd4432ae2986f7863047f836b31210454b256c1978491ccc0925d73d

Download Submit
C:\Windows\SysWOW64\Chcddk32.exe

Filesize
79KB

MD5
802a1772660a13b0b52fc9d7dc76e7e9

SHA1
5fe1e1d3ae95efb519e5d8d90af4008924d83d97

SHA256
06f3c144891ec8f6c33d5838c27604989a0ab3fe942e124a7efefccdb51e4339

SHA512
f271c9f6d0f106593aacb87448aa6b40c2b5d10605f65631a696a8d1831cbaf8fc92d6a6afaf2a6224a58c6c1de15cdd8ef00d42a81fbe336c549dad2664ba89

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
79KB

MD5
4522a7f06ad058efe9a7c4d305577292

SHA1
c0db52f01f7225132760272a6163cc7dc866db58

SHA256
c3102f564a2ce3f8dccd9b26468bdec86a5fda517b714a711c225e49a0e06bda

SHA512
be9dc1c02dd6c6ecb64f7e9a4f7de72f973ca89c323f44935a52b9566dca85535511d65d897ce39e19251653a314a82202ca363f91f5f210082bb30ec45c8dc6

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
79KB

MD5
644649e1d98195e936c9064daacf0be7

SHA1
54dccb8377527c0a5ef43f2d49d046306695562f

SHA256
0f47c5053f542e336e6d7f6c54f903714c766027fa765a4014bc02ec228ec5eb

SHA512
cd904ef1b6b5645dfbda44d0847a15c68f46ab5783583a6013d00b5bb9d2e9c4303c0ea45cdf2eca6ba309f87f3b795a520574aebe93ee88a6c64d3376618137

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
79KB

MD5
332b15899e29ce40e6008a43f2399afb

SHA1
c26fddee1b8632f2bcc40cead5400e342cc79da8

SHA256
b2bd2861514c21975947223866ef6d30221e408e21a74c6b7db28cadc2476eac

SHA512
cfa46a7b58b5178791aa33f361712abc62c6498607cf803ab623dd6e474bcf5d7a8d3a5c9256885083a15b4cc491ba2718faa3289b8b031934a102518814a0b6

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
79KB

MD5
3e3b10897939679b9c80366b9a4c6e61

SHA1
564288ad207a0a3ae8045ca4c75f2ea4b4d76be8

SHA256
23ab9b01681a247e0d5bace5e79205f73f605b4b7ff23fd08dc66754dd6c60bd

SHA512
b3680dd68f2f907598546713cca0f6333c60227407144b525c009c3765f20ef979bc0b843d98e4064e07cacf23be02766f9f41725309e07112ee3741d01e42bd

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
79KB

MD5
ca309965006d26224c5d3e4175fd56d3

SHA1
57b762cc809fe27798165ef4bc28c71ae828f528

SHA256
d0935015304d26e407ee3cb7ea58aadfb000a631123937794a32fb162d97f0e1

SHA512
b9249d8cc7e2cad69aae29e4d3f9dfdded8ba064f8a756427fda325a5b72fb02379550058d816530dc51b334364a974644898067f76e9e5a1393a89d7ee951cb

Download Submit
C:\Windows\SysWOW64\Qddfkd32.exe

Filesize
79KB

MD5
09655bb4173ddd398d579ac2c811a9a1

SHA1
594cb282dff74e71b9d4aec3dbc18bc495b4b928

SHA256
85384d27ace3783d0214f8d424b9ca60e14a18e92d75fc949c3401bdd9316547

SHA512
60f681c014fd4a16801c51a5f834d8711ca01fcf12d9ab0a17f4be83b5218f6b3e259f5eac944e1e2880e4df4691317224cc18d44184e0480febae25bf135073

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
79KB

MD5
78359fbc4e0d0edfbde1280dd5885acd

SHA1
23e8491f9967f869fc9e18904cf83e73204b7e46

SHA256
9eaebf5b1e4b62b0be7ffab19bc5019365c50620b70b4dcb67006a8efcb435bd

SHA512
779a7c4191d3d385803f998fbef066f4890c690c75ce7d63be3f91682e7e6864d2f0d9c1f9dbc8b329552535643cddabb37af13438d253597196b320c6ae77b2

Download Submit
memory/116-464-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/116-335-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/468-89-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/540-256-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-466-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/548-323-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/628-56-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/640-263-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-371-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/892-458-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-451-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1060-408-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1076-209-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-347-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1108-462-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1532-136-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-467-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1648-317-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1656-96-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1708-232-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1724-65-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-447-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1808-432-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-402-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1824-452-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-445-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1924-444-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-473-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1940-281-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-299-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2028-470-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-353-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2040-461-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-455-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2056-384-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-471-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2132-293-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2268-168-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2524-41-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2956-269-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3012-9-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3032-245-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3048-49-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3152-72-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-160-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3204-152-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3216-24-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-453-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3224-396-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3436-16-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3504-176-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-465-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3560-329-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3732-217-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3848-253-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3944-112-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3948-229-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4092-85-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4104-104-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-390-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4112-454-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4152-128-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4196-120-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-287-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4220-472-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4296-196-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4360-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/4440-450-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4440-414-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-341-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4480-463-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-457-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4496-377-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4576-184-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4604-201-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-448-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4608-426-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-383-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4612-456-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-365-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4676-459-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4752-144-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4800-33-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-449-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4848-420-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-446-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4908-438-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-275-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5012-474-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-469-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5048-305-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-460-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5064-359-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-468-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/5112-311-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads