5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 21:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
Size

256KB
MD5

b5f217630f9acc3bf634757413c306c8
SHA1

8b4f37c39c36249196f2909e0d06aecb91de33fb
SHA256

5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e
SHA512

6f8fc91a68bb67ba5fe75b0c249f6e7b8ea32c4dfe269be2ff1d4c6519f23040563f01bbc183e7592c02d72528a8d1b21d939818d5d51c3f8ad1ce0d9aaa40ea
SSDEEP

3072:IU+dvQUnxGN2q9ESTWqAhELy1MTT6e5f7N+Awrogsw+STWqAhELy1MTT6e5fAKka:IUO9H4ESTYaT15f7o+STYaT15fAK8yL

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daekdooc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qcgffqei.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmpcfdmg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ampkof32.exe

Executes dropped EXE 57 IoCs

pid	Process
3656	Qjoankoi.exe
2748	Qmmnjfnl.exe
4828	Qcgffqei.exe
4476	Ajanck32.exe
1080	Ampkof32.exe
808	Ajckij32.exe
1412	Aqncedbp.exe
3588	Aclpap32.exe
4572	Anadoi32.exe
2628	Agjhgngj.exe
5092	Afmhck32.exe
4788	Amgapeea.exe
4676	Aeniabfd.exe
1672	Ajkaii32.exe
2344	Aadifclh.exe
3472	Aepefb32.exe
4280	Bfabnjjp.exe
3156	Bebblb32.exe
3084	Bganhm32.exe
3676	Bmngqdpj.exe
2336	Beeoaapl.exe
3748	Bffkij32.exe
968	Bjagjhnc.exe
4936	Bmpcfdmg.exe
1572	Bmbplc32.exe
2256	Beihma32.exe
4332	Bhhdil32.exe
1904	Bfkedibe.exe
916	Belebq32.exe
2608	Chjaol32.exe
2200	Cmgjgcgo.exe
1888	Chmndlge.exe
3356	Cjkjpgfi.exe
3544	Cmiflbel.exe
1500	Ceqnmpfo.exe
3668	Cdcoim32.exe
3364	Cfbkeh32.exe
3584	Cnicfe32.exe
4468	Cagobalc.exe
1172	Cdfkolkf.exe
3144	Cfdhkhjj.exe
4248	Cmnpgb32.exe
4600	Cajlhqjp.exe
4460	Ceehho32.exe
3476	Cffdpghg.exe
728	Cnnlaehj.exe
2292	Calhnpgn.exe
2084	Ddjejl32.exe
4116	Dfiafg32.exe
4396	Dopigd32.exe
4852	Dfknkg32.exe
2272	Dmefhako.exe
2732	Dkifae32.exe
2116	Ddakjkqi.exe
1448	Daekdooc.exe
4440	Dknpmdfc.exe
1632	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bffkij32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Dkifae32.exe
File created	C:\Windows\SysWOW64\Nnjaqjfh.dll	Bhhdil32.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Cmnpgb32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ajckij32.exe
File opened for modification	C:\Windows\SysWOW64\Aclpap32.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Agjhgngj.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Oahicipe.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Afmhck32.exe	Agjhgngj.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Qcgffqei.exe	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bebblb32.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cffdpghg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ampkof32.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bganhm32.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bmpcfdmg.exe
File created	C:\Windows\SysWOW64\Beihma32.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Belebq32.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Ceehho32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Ampkof32.exe	Ajanck32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Eiojlkkj.dll	Aqncedbp.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Kkmjgool.dll	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dmefhako.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Jdbnaa32.dll	Qmmnjfnl.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Bmpcfdmg.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2508	1632	WerFault.exe	143

System Location Discovery: System Language Discovery 1 TTPs 58 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qcgffqei.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmpcfdmg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjikg32.dll"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bmpcfdmg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoddikd.dll"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leqcid32.dll"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddjejl32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooojbbid.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpmlcim.dll"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 3656	2916	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe	84
PID 2916 wrote to memory of 3656	2916	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe	84
PID 2916 wrote to memory of 3656	2916	5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe	84
PID 3656 wrote to memory of 2748	3656	Qjoankoi.exe	85
PID 3656 wrote to memory of 2748	3656	Qjoankoi.exe	85
PID 3656 wrote to memory of 2748	3656	Qjoankoi.exe	85
PID 2748 wrote to memory of 4828	2748	Qmmnjfnl.exe	86
PID 2748 wrote to memory of 4828	2748	Qmmnjfnl.exe	86
PID 2748 wrote to memory of 4828	2748	Qmmnjfnl.exe	86
PID 4828 wrote to memory of 4476	4828	Qcgffqei.exe	87
PID 4828 wrote to memory of 4476	4828	Qcgffqei.exe	87
PID 4828 wrote to memory of 4476	4828	Qcgffqei.exe	87
PID 4476 wrote to memory of 1080	4476	Ajanck32.exe	88
PID 4476 wrote to memory of 1080	4476	Ajanck32.exe	88
PID 4476 wrote to memory of 1080	4476	Ajanck32.exe	88
PID 1080 wrote to memory of 808	1080	Ampkof32.exe	90
PID 1080 wrote to memory of 808	1080	Ampkof32.exe	90
PID 1080 wrote to memory of 808	1080	Ampkof32.exe	90
PID 808 wrote to memory of 1412	808	Ajckij32.exe	91
PID 808 wrote to memory of 1412	808	Ajckij32.exe	91
PID 808 wrote to memory of 1412	808	Ajckij32.exe	91
PID 1412 wrote to memory of 3588	1412	Aqncedbp.exe	92
PID 1412 wrote to memory of 3588	1412	Aqncedbp.exe	92
PID 1412 wrote to memory of 3588	1412	Aqncedbp.exe	92
PID 3588 wrote to memory of 4572	3588	Aclpap32.exe	93
PID 3588 wrote to memory of 4572	3588	Aclpap32.exe	93
PID 3588 wrote to memory of 4572	3588	Aclpap32.exe	93
PID 4572 wrote to memory of 2628	4572	Anadoi32.exe	95
PID 4572 wrote to memory of 2628	4572	Anadoi32.exe	95
PID 4572 wrote to memory of 2628	4572	Anadoi32.exe	95
PID 2628 wrote to memory of 5092	2628	Agjhgngj.exe	96
PID 2628 wrote to memory of 5092	2628	Agjhgngj.exe	96
PID 2628 wrote to memory of 5092	2628	Agjhgngj.exe	96
PID 5092 wrote to memory of 4788	5092	Afmhck32.exe	97
PID 5092 wrote to memory of 4788	5092	Afmhck32.exe	97
PID 5092 wrote to memory of 4788	5092	Afmhck32.exe	97
PID 4788 wrote to memory of 4676	4788	Amgapeea.exe	99
PID 4788 wrote to memory of 4676	4788	Amgapeea.exe	99
PID 4788 wrote to memory of 4676	4788	Amgapeea.exe	99
PID 4676 wrote to memory of 1672	4676	Aeniabfd.exe	100
PID 4676 wrote to memory of 1672	4676	Aeniabfd.exe	100
PID 4676 wrote to memory of 1672	4676	Aeniabfd.exe	100
PID 1672 wrote to memory of 2344	1672	Ajkaii32.exe	101
PID 1672 wrote to memory of 2344	1672	Ajkaii32.exe	101
PID 1672 wrote to memory of 2344	1672	Ajkaii32.exe	101
PID 2344 wrote to memory of 3472	2344	Aadifclh.exe	102
PID 2344 wrote to memory of 3472	2344	Aadifclh.exe	102
PID 2344 wrote to memory of 3472	2344	Aadifclh.exe	102
PID 3472 wrote to memory of 4280	3472	Aepefb32.exe	103
PID 3472 wrote to memory of 4280	3472	Aepefb32.exe	103
PID 3472 wrote to memory of 4280	3472	Aepefb32.exe	103
PID 4280 wrote to memory of 3156	4280	Bfabnjjp.exe	104
PID 4280 wrote to memory of 3156	4280	Bfabnjjp.exe	104
PID 4280 wrote to memory of 3156	4280	Bfabnjjp.exe	104
PID 3156 wrote to memory of 3084	3156	Bebblb32.exe	105
PID 3156 wrote to memory of 3084	3156	Bebblb32.exe	105
PID 3156 wrote to memory of 3084	3156	Bebblb32.exe	105
PID 3084 wrote to memory of 3676	3084	Bganhm32.exe	106
PID 3084 wrote to memory of 3676	3084	Bganhm32.exe	106
PID 3084 wrote to memory of 3676	3084	Bganhm32.exe	106
PID 3676 wrote to memory of 2336	3676	Bmngqdpj.exe	107
PID 3676 wrote to memory of 2336	3676	Bmngqdpj.exe	107
PID 3676 wrote to memory of 2336	3676	Bmngqdpj.exe	107
PID 2336 wrote to memory of 3748	2336	Beeoaapl.exe	108

C:\Users\Admin\AppData\Local\Temp\5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe
"C:\Users\Admin\AppData\Local\Temp\5523d982fcbffe882757f37df92fb546680c3d750caabc5c9d8ac31ad0bb596e.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\Qjoankoi.exe
  C:\Windows\system32\Qjoankoi.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\SysWOW64\Qcgffqei.exe
      C:\Windows\system32\Qcgffqei.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4828
    - - C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4476
      - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:808
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3588
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5092
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1572
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1904
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:916
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2608
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2200
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3544
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3364
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1172
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3144
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4600
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3476
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2732
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1632
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1632 -s 396
        59⤵
        Program crash
        
        PID:2508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1632 -ip 1632
1⤵
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
256KB

MD5
ff34150b1aaf9c71efbb38e6f1db3d04

SHA1
e707e5e7f336f4a98cb5c43f5dbb4429ba34266f

SHA256
c5ddbd2d0baf8402e7f616a24663bb7033469a6d6131bf2f2f335f8486aa9fa4

SHA512
a7f75bd767ae663cc8e6849d39ee4184d563cc351dfad0810d433098d213383d4a0340530b0f3a160bbf86387504f8a184138592b4d885a766ed419935891b73

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
256KB

MD5
37abf3f949d8f4005be8dd248987392f

SHA1
d01cbcb2f03952ddbaea747e4d13ee57bbff62c2

SHA256
73aba3b3843300b343b2321f6c2c4eb90a593cdb9aa57e0c782aabe86476b41d

SHA512
dfa845913630d70fd9756c45984e4181b69a35f64a37798622d6146306ba277d00876e7649c2e20c5b8190316657a42be117fa2c011bc942eb5246577af09ea6

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
256KB

MD5
e4655e8c048ce7e0e9a54100138baaf6

SHA1
52c2a3870bf024b46800c051be1c03f110060da9

SHA256
cc9711d2e044ed438710c3cf5b9b9ce32133c85a7c1207fdd5e9c73e096cb506

SHA512
0e96f263fd507e6f5b24b1d05bdd1cca4a2896955f73c293207a6a215fef2587db155c3c5a94a225274e22f68e2ebe4fa1b256698207a85d7f591201fe815701

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
256KB

MD5
c3f6dc251043991682c4b1c453865912

SHA1
0fd264fa88e25f8be43d00ce6fd36b573d8b0e9c

SHA256
f5c7de01d5e809cdd5cedbc23f774c39b3630d040fd5639501dfa1b4536d3729

SHA512
336df1ed4e873f68992d4f67f9d47061f575700118e33f975d015b16557f5c72cc53d4e9d4fa18a6ee2493cdf6de67c03e455fa57d784437ee86d3f125ef25d6

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
256KB

MD5
07ed9af280536da987fcdc0fd9b6ad23

SHA1
8afc974c3377aac2564491e3328c7e8368f81aa9

SHA256
a4cca6d47fae455b10c557bbd6bb0beb2f4bb46cc4429da428d612c737d2d866

SHA512
10c3e229ec6d05e091422fb50c77408a1a6284594dd2229b1a5bb9f0304e1d6586804bead0822f73799daffc0bb5d258ddc23dabfb4423e601a53d352e5fbd4d

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
256KB

MD5
9ce1732bfe50baed2f44ef07892c8ef0

SHA1
15251fba01ccb39351b08f1db09d1619fb13fa60

SHA256
9d6c6310e77ce396ad4e7a2b20a0a77b97c76b56d6832295390e4e4ddc0443fc

SHA512
479c44dabd62cb18edb065f8817710fce4590f3a9a4fc5efe5fd632525ef945e84ef81063f00367aa6231766812de9da842228367b06734a7b51b4429b635ffb

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
256KB

MD5
6486f81e48ca3d046a279483d23daa18

SHA1
25c89574c2ad8c7091bedee328bbec9354746403

SHA256
ee3d0abea0595b45be736e2e64fb7a31b0e93a4fe41aca8de39564f9416732a0

SHA512
66c6bcd6824c04ca38c2c4465d23679c2e55b22250da5848bd4813b325327c9ccce0c064f28963b03730e304412a675a91beb6360360afdebe0dc40d00fa7472

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
256KB

MD5
605026c02075336526352ab9968906f6

SHA1
08cfe523a06e5eef5d01e48721cde19823995393

SHA256
9afefb4a4b2ad64cd7178e5f61d8b66b5a7041733fe960622f31f2bcaa80b06d

SHA512
d0b2891cb045c88aff0e0ea97cd06e7a531f77767802f778cbba3a05b85637a986b38cf788c944111a4a3ba26a25ce83074c7d5db63efb8e8a2ba07a20042478

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
256KB

MD5
f319fc2bc53bc89ce7b99fb918054c93

SHA1
376a2303784599496d5400b0a2fbf98f6b5bd2f3

SHA256
59dd3f58216e10966ee3aba90c883b1bef7eb94ce787063a521c2dd4e3ab2d52

SHA512
613a8f170d847318e92f8d9882be33f493e8cc139f77223b73601ea6574b4cddeea86dddcbf7f01b1a690518c70a2358eb60f0c15461f53f8e3c448a0694033a

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
256KB

MD5
461d31dbe8c29401e567fb18a49146e7

SHA1
f3699dbdd85fa0accc8e8f8ab5d2460fdc060133

SHA256
26355fe5165cea545be0bcc28e4a09f0a00bbd7450271cefd4cd88d47b668e06

SHA512
efaf8a47710acdfc18dc42b919b412135b3aa2acdcac139668535390f6243c99929d41cfb0994510e09ce998bc6d11c060d92e26e33ddbb6af545b6366236615

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
256KB

MD5
aa3d73c31c9ae96164d4f0b99bc291af

SHA1
94ba7352e5ec340aa2e6906cee4177a375ba07b2

SHA256
79f0a81b170629a036c2baec36182319932b1c4bf71e05d9d739cdaf9f736005

SHA512
385d740a26c8a62deeb7c8497c98b5c74d8a756dfc31e87e00c353b0d276b52bb438e8e0b0d72117496dbb0cff4d47e7aded0aa9faa99168ec4439806911c675

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
256KB

MD5
2f750f3cfdc5faa62b23449fcca83b07

SHA1
d9dd22250458a50a1706f432ec84e2bcc8928686

SHA256
473917e6ea46c53b86a0d258877a2d76bc1c62acae8661a18a2f6d48b4735b23

SHA512
adb70d3efb58e3a91c5a0452669a8b5159f63d990c3fca0fc2329489935d20b68a154b4726c723f195cc72aa38ae3c420924336272180e689a65b3284a6b64c7

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
256KB

MD5
b94b4af12ff6a18a848f5eae694f7464

SHA1
e9ebf4e0c461d25fbae9326bb78c61ba2fae60f8

SHA256
fc64ec9052ec559a1bb4f451bde58bef2c4e076a39de45245537e3189211facd

SHA512
7837fa3bd15ab20be50d1668df016f9e7fcfa7c3d64743905cd1c53caeb553e589d62309b6dcbca27637570752e0a879a9582ef606edd7622669daf11e195c5e

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
256KB

MD5
9eac94eebd45e35efbac5a8ec8a5888c

SHA1
c6421166c9740d439e070136f0146f47ddb7a713

SHA256
cdc5d9d3abb8869aac064e3d182b7ea5217d48b4c5a9e7d99aeec70c8559e32b

SHA512
ffd9e3933c52f4492d6da68f42c01089a62874f14ca66dd7b0104b695254cb9e5325b59a793304a5d0cabfb3bd51c53e858153fa326f6267fa03c7cb3ab15b5f

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
256KB

MD5
22603b28f4e391bf7ee0c1a607af8b39

SHA1
c9f8e3c81752d5b061f5cb095c54c5751b93aaf1

SHA256
b48504822e589b0bb1f1d65cd52cb23e831159d60dd101c8a972c6a7e720940f

SHA512
12d0f3ac2a1d32a0435da936829d63f3d13d922fd5fde4edcb9bfffaaf3407eef273607220274503e5958477a6fc47feed9fcb65aceb986c2d4ecdbcc03e4554

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
256KB

MD5
2a5dc52ef9f190c63f13b0b1f541d1a1

SHA1
2107efba82e26ed8331f3097edce3aa99b1eda2a

SHA256
2a4239c53418170de7d86c15a16746bcc9e38157d964b6899e4feb0070fe244b

SHA512
42e8d6c4a2b74cd4a542ae6cc4301edd20fe491dad840bdfcd42778deeac765f22c7bcfe97bec3204a3b83f7f88d412aaa1210eba8341f6b55c255fccf6fe1fc

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
256KB

MD5
c937bb0f801245483d070669775fadc3

SHA1
f1fbfaf25535149638a81084a00fe7c4ae8e0b4f

SHA256
ec05b6c3cdcfcb64323fcc82404d7e6401809ad38a900285d4d1a217d7b1af3e

SHA512
8c331676b8a33fe20287ee24eea475d04106a4d2f551e0dc6685c89d23cbcfde3a684fd9ca54727b9d7c93902d01885e2bb1769edd0da869f5c3fd766e7b5c45

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
256KB

MD5
262695310624a608b6750e699375b2e5

SHA1
6ecfffaa43b95f0ca1b70baea9e05bf761286af9

SHA256
fddbab8f2197f27b456a21064f6492082ed4ace86e4fce87f84aa1b1946916ae

SHA512
36c1f3a2dd25d077fbe46bcbbda9a7594049a117c62561394d8aad207d585720e4b15ceced65ab78ab34aef1edc3d419796cc4a48f4de4183ec7a4ef8ca1b1d3

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
256KB

MD5
85cda4637e5bceda22185379ccc75ffd

SHA1
0e2f27ed659cc3bbbe660d0cce3774f64ee5407a

SHA256
7c95aaa54fcc12281d9e5b722a46df3359a5557d4c72c7dfd3961f2bb2689565

SHA512
f05387ac042551cd0613e1a5a3c834be624c8020e214512555f24ba8f06d09fa4c2e5d0c066dbef6f3a864e77046bf9cd12c092aee97ac0b17901e780655ab59

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
256KB

MD5
7020bf01c92f3ff51826ea2fb046eb6c

SHA1
adba4cb9057bf48bd09ff7c4ee4bfa16e21da65e

SHA256
174c59a4291e4b3f99bf3dea5cf69538f69dfb2e661ef4edcf17a450a96d3f70

SHA512
dc04d943978fc94766b0a38ad57875159cc154ba274d94c612145393cbc0b0c25d9c3b8ddc73df991253f3bcdcf2cbe6595c4b992671d4c0302e024a74fac9db

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
256KB

MD5
c8754724b1da19320fb0c14633f30a0e

SHA1
55bbfeab83beae04b90c2865eb9cc4d0880a4497

SHA256
6960720a045d992bc014a25089b74c39c64c9e68cdf30214bc9af4b29a488d91

SHA512
636006cff51fabcb965c67174a5098c893046c3ae65e76c6cb7cf6d793fcf677821daeafe917b3e7f43493f2881f4761b89d834f28b207e616c88952c4f05245

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
256KB

MD5
e199bfc0c812ca26251ea303dbe8cc49

SHA1
812c53e36db2519c46a06c22df792476898aa93f

SHA256
64a569e56775df0f661c365016e33cccbc863579fc38fce10096069286f47931

SHA512
63fcfb329394d20695004e69092f911b6b2548233e5ed4f86378f7ea334ff7ddca3eefcc99663b365757f3d0ab053176a00149eaa438b12117f82c11a49d6dce

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
256KB

MD5
d5b5ae0d29d08e15b6848ffe46a44963

SHA1
2ca2c9c8e7d6bef309ddc57f5f9495a853177443

SHA256
10b34e2dec883529a8980b5ca17de7270099f88dd91cab9e66df69d6798d5c59

SHA512
72a2ff8c23b32213b89c6dd6fecd65d0f520920c99b2da0cf5da9c78693748647d8067b23be2f45674ca5ee55189aa851d576934ed7c7db27f5a9e04ddf7b984

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
256KB

MD5
e42cfdcbefc04cd318a9a9270d4c147a

SHA1
aa80f26dab8231baded7ad4efebb4235b40ed367

SHA256
28ec5665f22ee8f361d198efdfe86eddc1801f3d83f03796c2e40ca51c5b2b93

SHA512
aeece1f8e4be4dfc1b026a44872da7fde1161d8c2e876170c1f3ec942d95ed246a92d443c9410c4572376e3d30c7af22cf9c014013c44741d9d328b0b4b1aef9

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
256KB

MD5
9eaebb63b1e2cc43125abfdd38c0ba55

SHA1
f46b9186035bc29dae20bd26bc94b2553bf5ebb7

SHA256
7d0563df9e20b62081d33b35125575bf8efc8451efef44d4465a74e9361a5af9

SHA512
725532c818a94dc6f6dd54983ee19b7d64d7eec6f32ef0f56d128efecb8b37a64549494f446d33a4515128b8991c9df9bd4f116f8272acb1088df2ef81c8b5f8

Download Submit
C:\Windows\SysWOW64\Bmpcfdmg.exe

Filesize
256KB

MD5
7e3b9411bb1a31b6a4a378d6fb75d0eb

SHA1
e03a493f7c1f931f43558fa829af92ffeb5f0893

SHA256
65bdfc46076043dd969a7c73b24082ae963f1232e850ca9edbb6cc7f34c0651b

SHA512
b11859b288f6603ea6a23df3543d0447408ed70d063ff87bbceab3282acab30f8c9914731f92a48c97fa7f631d58ac8c63bbdb27c1da378525bb98850a81df08

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
256KB

MD5
4d1e7499d42cbe83b5e22a11d8a7352d

SHA1
220cc02cdb0f26be6d77ab8fa0fee05090e6ac5c

SHA256
d00eae355106a583e59581120f49347e7211cff53b839b01c4ff2f68acb355e3

SHA512
466dd9a8fac9126f88bc739adbf3b45a68bf535cb800d7da70975731d319fd92d768644d3923f5f5f1a4c1714f8607deca3c61397f090985469f15d397dab9d2

Download Submit
C:\Windows\SysWOW64\Cfdhkhjj.exe

Filesize
256KB

MD5
777c9ab713dd67f758f3e1a29f9dacc7

SHA1
9627209b6b1c91664294684e6bbc3c00a73ca67b

SHA256
53b8f0b8300a61cde9950010f8876a66842efaa81464ec7de324e33c647812b8

SHA512
67c2a9a7804d2d39cc008efd897d3c2d8f5b66eb99485e43a7e3c5e96526d3b44f01ce4b5ba53f6e0f4eaf9992077973edc0a436d5cfc76815753c8e12dd4957

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
256KB

MD5
8f7f2ce2acc355bb92baa815715efbdf

SHA1
61b24f889289af1ce70b91fcee5563bc9fb57acf

SHA256
45900986fcc25850d00ebdd327cb4029c82964a8cdbeb7cd538fbe6299727846

SHA512
cc27beb0ec0be85f938a0a58061295e837c94816962ee9d725fb2e204336467c5ad761cb4589ad3f91fb43ad0f808634fa90a152f16e09496dedb39f4a226a95

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
256KB

MD5
af56561cfe1d0e2f18497542b4e8a4f1

SHA1
a99b98c5d450056cb52a5f51c734f7a175bafce1

SHA256
440042ba47e60bd5042600d9d0322b935c1c0491cc86ea1f5d35f1402b1017ce

SHA512
2a7485efc387a16aeb28ea7924320ae85f533e87631c3925057b4a9ad0aa39d2abcc6559e39f98518170910e111474dbc3fc84667bb1d72e9a463aec68d86528

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
256KB

MD5
b632edcf65979b5206c4731b95283dbf

SHA1
08e8d1ef49edb07078100b352aca21e66c5958a3

SHA256
a7357661669306fb4e82120098dc60880525429fb37c2fa212aae2d6a872ffbe

SHA512
0e5cf478f76ecc98d87024610f5f9def29be6e1abc01f299d768b6f2daf7f9772289e06ffba23ee5e744a8ef86fad8c550a9d120afdb0ddd3f725c2c9276543d

Download Submit
C:\Windows\SysWOW64\Dfknkg32.exe

Filesize
256KB

MD5
670e8d1c4a2f3826d83157f452bd9ce1

SHA1
7a2430b6a33f606f6f485672ae2663c62b9839f5

SHA256
041a90ee414e43f15b4969671fcf06a110a4e326ee45279e7e552245758b4e25

SHA512
765248abeb524e63bbeeecd38e2891875e5df06f8ca10602c6b70e31f08d03d7c315bc92aceeb03f1fe983b23b28c08743ac2587d9d5a02323c37939026e5ba3

Download Submit
C:\Windows\SysWOW64\Dkifae32.exe

Filesize
256KB

MD5
0a05f5271c8393149303032875cc93f3

SHA1
e687660f9f597182555d02303ff7676809c7a138

SHA256
a16ece065d2c37fd5ec07397a1be09573c8c3cfbb998964bc7207e1a2fd7dbe6

SHA512
6f8f950e92d3b6e1ca8dfeee24e3e7aafb72bd8289f7e3a4a27de2176bee84f59db8eb3f78c5afe6dd62b452374a52be31d06a5b0fc705ed0598e367d4f99e44

Download Submit
C:\Windows\SysWOW64\Qcgffqei.exe

Filesize
256KB

MD5
f9e97ef956a06d39fe2f6ed4f6d35f63

SHA1
956903ae1cc4ade4a4cb2b688345da9b31bf51f7

SHA256
e8ef7b012888e4441cac10a49945e31e607f52fe8bfb4d60173bbd98dc72217b

SHA512
1c575d904dee6f0f2c55429fe78301b772a31e52fd0cc31863bf020b97b00499a549a18ffcbf1284450a5ec2c00297d185c832af81007210faed2fc3a2681028

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
256KB

MD5
d63f032dd2d1e0d7fa96ff3c02e4c95e

SHA1
74efdc055eb108bcfca1c50133ad74d08895caf5

SHA256
32cebb317c761f1ad96a2f785cda3e70736ab6aa4c6a41d980a4f22716b977a8

SHA512
423d5714096ce4dea36159ba4e3e86ffee7e017ebec36320d0326906b9592b88e094d3b586989387591f82d3d3b3805884625f154c543122d91efec77ffd5205

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
256KB

MD5
ca06d43a8686f5e57bea8edf30c7e6b8

SHA1
a0aa353fcef0543a9b10f8f4e0ccab1f0b7c906b

SHA256
02385cf7ae5db8d77466365038d0d466a32e3098868077bf2731c6c9567bfdac

SHA512
28c799d0ccf70192ee160c91f1a33e2ee7e430614ab4825d885d7ff607acc462f4d820f6c51784a3af72231d7d17e2090800e7ba452dd826b0c348e78d7a0851

Download Submit
memory/728-371-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/728-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-48-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/808-134-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/916-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-281-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/968-196-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-129-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1080-41-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-330-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1172-398-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1412-57-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1448-433-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1500-300-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-299-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1572-213-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-204-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1672-117-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1888-343-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-315-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1904-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2084-389-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2116-426-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-336-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2200-265-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-302-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2256-222-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2272-413-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2292-378-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-179-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2336-264-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2344-130-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-257-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2608-329-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2628-86-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2732-419-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2748-17-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-73-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2916-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/2916-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-247-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3084-162-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-405-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3144-337-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-239-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3156-153-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-354-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3356-282-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-309-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3364-377-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-221-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3472-138-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3476-432-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-289-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3544-357-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3584-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-65-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3588-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3656-13-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3668-303-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3676-174-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3748-273-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4116-392-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-344-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4248-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-143-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-233-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4332-235-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-399-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-425-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4460-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-391-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4468-323-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-33-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4476-115-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-161-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4572-74-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4600-355-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-108-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4676-195-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4788-104-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-25-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4828-107-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4852-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-288-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4936-205-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-178-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/5092-90-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads