b75a1467bdc68a02375e17bd811aa846c339353f1feaad0785261008b4aaa563

Analysis

max time kernel
114s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-08-2024 17:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d595f0c242e340a614cc0c778840fd00N.exe
Size

80KB
MD5

d595f0c242e340a614cc0c778840fd00
SHA1

1166f68c4b66f54e3e79a991f4f46246281f2a82
SHA256

b75a1467bdc68a02375e17bd811aa846c339353f1feaad0785261008b4aaa563
SHA512

09676b516c16127daac938de578df7edc9ac1697dd1b614e26b28eb39cc587cf181034a43b34fba40502661df373a2c0005d4aad81934a17e9d5c9c7e09fdfd5
SSDEEP

1536:SEVjaOvUb9ff7VjRgUcoR8EXqNLuRhORQAxRJJ5R2xOSC4BG:SEVmOvsfjZRcd0XhOeqrJ5wxO344

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cibkohef.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Clpgkcdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dpjompqc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aiabhj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bejobk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdgolq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmkjig32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbhbbn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmbpjfij.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpcila32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amkabind.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afceko32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpcila32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdjlap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cifdjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bfabmmhe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmimdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbaehl32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciknefmk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dmifkecb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dbfoclai.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bemlhj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Debnjgcp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddcogo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmkcpdao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beaecjab.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdgolq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Apngjd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bmfqngcg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Blknpdho.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbjogmlf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cbmlmmjd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dinjjf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dgdgijhp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Apngjd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cehlcikj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dibdeegc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dibdeegc.exe

Executes dropped EXE 64 IoCs

pid	Process
2876	Afqifo32.exe
2056	Amkabind.exe
2700	Afceko32.exe
3608	Aiabhj32.exe
2424	Acgfec32.exe
3848	Aidomjaf.exe
348	Apngjd32.exe
1332	Bejobk32.exe
4756	Bldgoeog.exe
3212	Bboplo32.exe
1180	Bemlhj32.exe
4488	Bmddihfj.exe
2908	Bpbpecen.exe
3872	Bbalaoda.exe
2208	Beoimjce.exe
4556	Bmfqngcg.exe
5024	Bliajd32.exe
720	Bpemkcck.exe
1916	Bbcignbo.exe
2880	Bfoegm32.exe
1664	Beaecjab.exe
4268	Bmimdg32.exe
1744	Blknpdho.exe
5076	Bpgjpb32.exe
3032	Bbefln32.exe
4440	Bfabmmhe.exe
2468	Bedbhi32.exe
1476	Bmkjig32.exe
4808	Cpifeb32.exe
4532	Cdebfago.exe
5040	Cbhbbn32.exe
3624	Cfcoblfb.exe
2356	Cibkohef.exe
4736	Cmmgof32.exe
3448	Clpgkcdj.exe
4708	Cdgolq32.exe
4792	Cbjogmlf.exe
4044	Cehlcikj.exe
3768	Cidgdg32.exe
2508	Clbdpc32.exe
1004	Cpnpqakp.exe
3476	Cdjlap32.exe
3248	Cbmlmmjd.exe
4284	Cfhhml32.exe
4296	Cifdjg32.exe
5136	Cmbpjfij.exe
5176	Cleqfb32.exe
5216	Cdlhgpag.exe
5248	Cboibm32.exe
5288	Cfjeckpj.exe
5328	Cemeoh32.exe
5376	Ciiaogon.exe
5416	Cmdmpe32.exe
5456	Cpcila32.exe
5496	Cdnelpod.exe
5536	Cbaehl32.exe
5568	Cepadh32.exe
5608	Ciknefmk.exe
5656	Clijablo.exe
5688	Dpefaq32.exe
5736	Ddqbbo32.exe
5772	Dfonnk32.exe
5816	Debnjgcp.exe
5856	Dinjjf32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mckfmq32.dll	Dmnpfd32.exe
File opened for modification	C:\Windows\SysWOW64\Dpjompqc.exe	Dlncla32.exe
File opened for modification	C:\Windows\SysWOW64\Dmnpfd32.exe	Dibdeegc.exe
File opened for modification	C:\Windows\SysWOW64\Cfcoblfb.exe	Cbhbbn32.exe
File opened for modification	C:\Windows\SysWOW64\Afqifo32.exe	d595f0c242e340a614cc0c778840fd00N.exe
File opened for modification	C:\Windows\SysWOW64\Afceko32.exe	Amkabind.exe
File created	C:\Windows\SysWOW64\Aahgec32.dll	Bmfqngcg.exe
File created	C:\Windows\SysWOW64\Blknpdho.exe	Bmimdg32.exe
File opened for modification	C:\Windows\SysWOW64\Acgfec32.exe	Aiabhj32.exe
File created	C:\Windows\SysWOW64\Cdlhgpag.exe	Cleqfb32.exe
File opened for modification	C:\Windows\SysWOW64\Cdlhgpag.exe	Cleqfb32.exe
File created	C:\Windows\SysWOW64\Beoimjce.exe	Bbalaoda.exe
File opened for modification	C:\Windows\SysWOW64\Bpgjpb32.exe	Blknpdho.exe
File opened for modification	C:\Windows\SysWOW64\Dbkhnk32.exe	Ddhhbngi.exe
File opened for modification	C:\Windows\SysWOW64\Bboplo32.exe	Bldgoeog.exe
File opened for modification	C:\Windows\SysWOW64\Dpefaq32.exe	Clijablo.exe
File created	C:\Windows\SysWOW64\Pdkpjeba.dll	Cmdmpe32.exe
File created	C:\Windows\SysWOW64\Cmonod32.dll	Dpllbp32.exe
File opened for modification	C:\Windows\SysWOW64\Bmimdg32.exe	Beaecjab.exe
File created	C:\Windows\SysWOW64\Neiiibnn.dll	Cmbpjfij.exe
File opened for modification	C:\Windows\SysWOW64\Cbmlmmjd.exe	Cdjlap32.exe
File created	C:\Windows\SysWOW64\Clijablo.exe	Ciknefmk.exe
File created	C:\Windows\SysWOW64\Jgfdkj32.dll	Dbfoclai.exe
File created	C:\Windows\SysWOW64\Cbhbbn32.exe	Cdebfago.exe
File opened for modification	C:\Windows\SysWOW64\Cbjogmlf.exe	Cdgolq32.exe
File opened for modification	C:\Windows\SysWOW64\Ddcogo32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Dpjompqc.exe	Dlncla32.exe
File created	C:\Windows\SysWOW64\Bmimdg32.exe	Beaecjab.exe
File opened for modification	C:\Windows\SysWOW64\Amkabind.exe	Afqifo32.exe
File opened for modification	C:\Windows\SysWOW64\Bmfqngcg.exe	Beoimjce.exe
File opened for modification	C:\Windows\SysWOW64\Bldgoeog.exe	Bejobk32.exe
File created	C:\Windows\SysWOW64\Ppbeie32.dll	Bmddihfj.exe
File opened for modification	C:\Windows\SysWOW64\Cemeoh32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Befogbik.dll	Cbaehl32.exe
File created	C:\Windows\SysWOW64\Efiopa32.dll	Bfabmmhe.exe
File created	C:\Windows\SysWOW64\Cfhhml32.exe	Cbmlmmjd.exe
File opened for modification	C:\Windows\SysWOW64\Bbalaoda.exe	Bpbpecen.exe
File created	C:\Windows\SysWOW64\Ibnoch32.dll	Cdebfago.exe
File created	C:\Windows\SysWOW64\Fiinbn32.dll	Dlncla32.exe
File created	C:\Windows\SysWOW64\Cpifeb32.exe	Bmkjig32.exe
File created	C:\Windows\SysWOW64\Ebldoh32.dll	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Cemeoh32.exe	Cfjeckpj.exe
File created	C:\Windows\SysWOW64\Naefjl32.dll	Ddhhbngi.exe
File created	C:\Windows\SysWOW64\Gdfmgqph.dll	Bfoegm32.exe
File created	C:\Windows\SysWOW64\Bpgnmlep.dll	Cbmlmmjd.exe
File created	C:\Windows\SysWOW64\Ddcogo32.exe	Dpgbgpbe.exe
File created	C:\Windows\SysWOW64\Cdgolq32.exe	Clpgkcdj.exe
File opened for modification	C:\Windows\SysWOW64\Ddqbbo32.exe	Dpefaq32.exe
File opened for modification	C:\Windows\SysWOW64\Bbcignbo.exe	Bpemkcck.exe
File created	C:\Windows\SysWOW64\Cmmgof32.exe	Cibkohef.exe
File created	C:\Windows\SysWOW64\Bbcignbo.exe	Bpemkcck.exe
File created	C:\Windows\SysWOW64\Fmbcdide.dll	Bmkjig32.exe
File opened for modification	C:\Windows\SysWOW64\Cbhbbn32.exe	Cdebfago.exe
File created	C:\Windows\SysWOW64\Cifdjg32.exe	Cfhhml32.exe
File opened for modification	C:\Windows\SysWOW64\Debnjgcp.exe	Dfonnk32.exe
File opened for modification	C:\Windows\SysWOW64\Apngjd32.exe	Aidomjaf.exe
File created	C:\Windows\SysWOW64\Qhfaig32.dll	Bliajd32.exe
File opened for modification	C:\Windows\SysWOW64\Cibkohef.exe	Cfcoblfb.exe
File opened for modification	C:\Windows\SysWOW64\Clijablo.exe	Ciknefmk.exe
File opened for modification	C:\Windows\SysWOW64\Bpemkcck.exe	Bliajd32.exe
File created	C:\Windows\SysWOW64\Hiagoigj.dll	Cpnpqakp.exe
File created	C:\Windows\SysWOW64\Ggiipk32.dll	Cpcila32.exe
File created	C:\Windows\SysWOW64\Nqbpidem.dll	Dmkcpdao.exe
File created	C:\Windows\SysWOW64\Fobkem32.dll	Amkabind.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5436	3948	WerFault.exe	170

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afqifo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bemlhj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blknpdho.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdgolq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmimdg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmkcpdao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdebfago.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbmlmmjd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfjeckpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidomjaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmddihfj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbefln32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpnpqakp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbalaoda.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cibkohef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpgbgpbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabmmhe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmmgof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clpgkcdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdjlap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cboibm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cemeoh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciiaogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbfoclai.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbhbbn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfcoblfb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cifdjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cleqfb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddcogo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgdgijhp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afceko32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apngjd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdlhgpag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmdmpe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpefaq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bejobk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bboplo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Clbdpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dibdeegc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpemkcck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbaehl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciknefmk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfonnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dedkogqm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dbkhnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d595f0c242e340a614cc0c778840fd00N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bedbhi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpifeb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbjogmlf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cepadh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinjjf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dpllbp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beaecjab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddhhbngi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acgfec32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bldgoeog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beoimjce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpgjpb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjig32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfhhml32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpcila32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdnelpod.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddqbbo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amkabind.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbpidem.dll"	Dmkcpdao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	d595f0c242e340a614cc0c778840fd00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabmmhe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cmbpjfij.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cfjeckpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cemeoh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dedkogqm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdnelpod.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Amkabind.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acgfec32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oahmla32.dll"	Afqifo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmddihfj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcdeb32.dll"	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkeoha32.dll"	Blknpdho.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Clijablo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aidomjaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bboplo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cpifeb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bliajd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cbhbbn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dbfoclai.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dedkogqm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhopqko.dll"	Beoimjce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchhia32.dll"	Clpgkcdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmdmpe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiagoigj.dll"	Cpnpqakp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cboibm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkpjeba.dll"	Cmdmpe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpemkcck.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cboibm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	d595f0c242e340a614cc0c778840fd00N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bboplo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bbalaoda.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdghm32.dll"	Bbcignbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlafb32.dll"	Ddqbbo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oihlnd32.dll"	Dmifkecb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpbpecen.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midbjmkg.dll"	Cfcoblfb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqbolk32.dll"	Bboplo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfcoblfb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdlhgpag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioeiam32.dll"	Dpjompqc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Beaecjab.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmmgof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cidgdg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebldoh32.dll"	Dpgbgpbe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhpkebp.dll"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bldgoeog.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjdmlonn.dll"	Cehlcikj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfhhml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dlncla32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaohckm.dll"	Dpefaq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddqbbo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	d595f0c242e340a614cc0c778840fd00N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bpgjpb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cdebfago.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldafjjc.dll"	Cmmgof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cbmlmmjd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2876	2368	d595f0c242e340a614cc0c778840fd00N.exe	91
PID 2368 wrote to memory of 2876	2368	d595f0c242e340a614cc0c778840fd00N.exe	91
PID 2368 wrote to memory of 2876	2368	d595f0c242e340a614cc0c778840fd00N.exe	91
PID 2876 wrote to memory of 2056	2876	Afqifo32.exe	92
PID 2876 wrote to memory of 2056	2876	Afqifo32.exe	92
PID 2876 wrote to memory of 2056	2876	Afqifo32.exe	92
PID 2056 wrote to memory of 2700	2056	Amkabind.exe	93
PID 2056 wrote to memory of 2700	2056	Amkabind.exe	93
PID 2056 wrote to memory of 2700	2056	Amkabind.exe	93
PID 2700 wrote to memory of 3608	2700	Afceko32.exe	94
PID 2700 wrote to memory of 3608	2700	Afceko32.exe	94
PID 2700 wrote to memory of 3608	2700	Afceko32.exe	94
PID 3608 wrote to memory of 2424	3608	Aiabhj32.exe	95
PID 3608 wrote to memory of 2424	3608	Aiabhj32.exe	95
PID 3608 wrote to memory of 2424	3608	Aiabhj32.exe	95
PID 2424 wrote to memory of 3848	2424	Acgfec32.exe	96
PID 2424 wrote to memory of 3848	2424	Acgfec32.exe	96
PID 2424 wrote to memory of 3848	2424	Acgfec32.exe	96
PID 3848 wrote to memory of 348	3848	Aidomjaf.exe	97
PID 3848 wrote to memory of 348	3848	Aidomjaf.exe	97
PID 3848 wrote to memory of 348	3848	Aidomjaf.exe	97
PID 348 wrote to memory of 1332	348	Apngjd32.exe	98
PID 348 wrote to memory of 1332	348	Apngjd32.exe	98
PID 348 wrote to memory of 1332	348	Apngjd32.exe	98
PID 1332 wrote to memory of 4756	1332	Bejobk32.exe	99
PID 1332 wrote to memory of 4756	1332	Bejobk32.exe	99
PID 1332 wrote to memory of 4756	1332	Bejobk32.exe	99
PID 4756 wrote to memory of 3212	4756	Bldgoeog.exe	100
PID 4756 wrote to memory of 3212	4756	Bldgoeog.exe	100
PID 4756 wrote to memory of 3212	4756	Bldgoeog.exe	100
PID 3212 wrote to memory of 1180	3212	Bboplo32.exe	101
PID 3212 wrote to memory of 1180	3212	Bboplo32.exe	101
PID 3212 wrote to memory of 1180	3212	Bboplo32.exe	101
PID 1180 wrote to memory of 4488	1180	Bemlhj32.exe	102
PID 1180 wrote to memory of 4488	1180	Bemlhj32.exe	102
PID 1180 wrote to memory of 4488	1180	Bemlhj32.exe	102
PID 4488 wrote to memory of 2908	4488	Bmddihfj.exe	103
PID 4488 wrote to memory of 2908	4488	Bmddihfj.exe	103
PID 4488 wrote to memory of 2908	4488	Bmddihfj.exe	103
PID 2908 wrote to memory of 3872	2908	Bpbpecen.exe	104
PID 2908 wrote to memory of 3872	2908	Bpbpecen.exe	104
PID 2908 wrote to memory of 3872	2908	Bpbpecen.exe	104
PID 3872 wrote to memory of 2208	3872	Bbalaoda.exe	106
PID 3872 wrote to memory of 2208	3872	Bbalaoda.exe	106
PID 3872 wrote to memory of 2208	3872	Bbalaoda.exe	106
PID 2208 wrote to memory of 4556	2208	Beoimjce.exe	107
PID 2208 wrote to memory of 4556	2208	Beoimjce.exe	107
PID 2208 wrote to memory of 4556	2208	Beoimjce.exe	107
PID 4556 wrote to memory of 5024	4556	Bmfqngcg.exe	108
PID 4556 wrote to memory of 5024	4556	Bmfqngcg.exe	108
PID 4556 wrote to memory of 5024	4556	Bmfqngcg.exe	108
PID 5024 wrote to memory of 720	5024	Bliajd32.exe	109
PID 5024 wrote to memory of 720	5024	Bliajd32.exe	109
PID 5024 wrote to memory of 720	5024	Bliajd32.exe	109
PID 720 wrote to memory of 1916	720	Bpemkcck.exe	110
PID 720 wrote to memory of 1916	720	Bpemkcck.exe	110
PID 720 wrote to memory of 1916	720	Bpemkcck.exe	110
PID 1916 wrote to memory of 2880	1916	Bbcignbo.exe	111
PID 1916 wrote to memory of 2880	1916	Bbcignbo.exe	111
PID 1916 wrote to memory of 2880	1916	Bbcignbo.exe	111
PID 2880 wrote to memory of 1664	2880	Bfoegm32.exe	112
PID 2880 wrote to memory of 1664	2880	Bfoegm32.exe	112
PID 2880 wrote to memory of 1664	2880	Bfoegm32.exe	112
PID 1664 wrote to memory of 4268	1664	Beaecjab.exe	113

C:\Users\Admin\AppData\Local\Temp\d595f0c242e340a614cc0c778840fd00N.exe
"C:\Users\Admin\AppData\Local\Temp\d595f0c242e340a614cc0c778840fd00N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\Afqifo32.exe
  C:\Windows\system32\Afqifo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\Amkabind.exe
    C:\Windows\system32\Amkabind.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\SysWOW64\Afceko32.exe
      C:\Windows\system32\Afceko32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\Aiabhj32.exe
        
        C:\Windows\system32\Aiabhj32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3608
      - C:\Windows\SysWOW64\Acgfec32.exe
        
        C:\Windows\system32\Acgfec32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\SysWOW64\Aidomjaf.exe
        
        C:\Windows\system32\Aidomjaf.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\SysWOW64\Apngjd32.exe
        
        C:\Windows\system32\Apngjd32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\SysWOW64\Bejobk32.exe
        
        C:\Windows\system32\Bejobk32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\SysWOW64\Bldgoeog.exe
        
        C:\Windows\system32\Bldgoeog.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\SysWOW64\Bboplo32.exe
        
        C:\Windows\system32\Bboplo32.exe
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\SysWOW64\Bemlhj32.exe
        
        C:\Windows\system32\Bemlhj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\SysWOW64\Bmddihfj.exe
        
        C:\Windows\system32\Bmddihfj.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\SysWOW64\Bpbpecen.exe
        
        C:\Windows\system32\Bpbpecen.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\SysWOW64\Bbalaoda.exe
        
        C:\Windows\system32\Bbalaoda.exe
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\SysWOW64\Beoimjce.exe
        
        C:\Windows\system32\Beoimjce.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\SysWOW64\Bmfqngcg.exe
        
        C:\Windows\system32\Bmfqngcg.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4556
        
        C:\Windows\SysWOW64\Bliajd32.exe
        
        C:\Windows\system32\Bliajd32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Bpemkcck.exe
        
        C:\Windows\system32\Bpemkcck.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:720
        
        C:\Windows\SysWOW64\Bbcignbo.exe
        
        C:\Windows\system32\Bbcignbo.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1916
        
        C:\Windows\SysWOW64\Bfoegm32.exe
        
        C:\Windows\system32\Bfoegm32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\Beaecjab.exe
        
        C:\Windows\system32\Beaecjab.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\SysWOW64\Bmimdg32.exe
        
        C:\Windows\system32\Bmimdg32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4268
        
        C:\Windows\SysWOW64\Blknpdho.exe
        
        C:\Windows\system32\Blknpdho.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\Bpgjpb32.exe
        
        C:\Windows\system32\Bpgjpb32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Bbefln32.exe
        
        C:\Windows\system32\Bbefln32.exe
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3032
        
        C:\Windows\SysWOW64\Bfabmmhe.exe
        
        C:\Windows\system32\Bfabmmhe.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\Bedbhi32.exe
        
        C:\Windows\system32\Bedbhi32.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\Bmkjig32.exe
        
        C:\Windows\system32\Bmkjig32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1476
        
        C:\Windows\SysWOW64\Cpifeb32.exe
        
        C:\Windows\system32\Cpifeb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Cdebfago.exe
        
        C:\Windows\system32\Cdebfago.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\Cbhbbn32.exe
        
        C:\Windows\system32\Cbhbbn32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\Cfcoblfb.exe
        
        C:\Windows\system32\Cfcoblfb.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\Cibkohef.exe
        
        C:\Windows\system32\Cibkohef.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Cmmgof32.exe
        
        C:\Windows\system32\Cmmgof32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Clpgkcdj.exe
        
        C:\Windows\system32\Clpgkcdj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3448
        
        C:\Windows\SysWOW64\Cdgolq32.exe
        
        C:\Windows\system32\Cdgolq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\Cbjogmlf.exe
        
        C:\Windows\system32\Cbjogmlf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\Cehlcikj.exe
        
        C:\Windows\system32\Cehlcikj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Cidgdg32.exe
        
        C:\Windows\system32\Cidgdg32.exe
        40⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\Clbdpc32.exe
        
        C:\Windows\system32\Clbdpc32.exe
        41⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Windows\SysWOW64\Cpnpqakp.exe
        
        C:\Windows\system32\Cpnpqakp.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Cdjlap32.exe
        
        C:\Windows\system32\Cdjlap32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\Cbmlmmjd.exe
        
        C:\Windows\system32\Cbmlmmjd.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3248
        
        C:\Windows\SysWOW64\Cfhhml32.exe
        
        C:\Windows\system32\Cfhhml32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\Cifdjg32.exe
        
        C:\Windows\system32\Cifdjg32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Windows\SysWOW64\Cmbpjfij.exe
        
        C:\Windows\system32\Cmbpjfij.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Cleqfb32.exe
        
        C:\Windows\system32\Cleqfb32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Cdlhgpag.exe
        
        C:\Windows\system32\Cdlhgpag.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5216
        
        C:\Windows\SysWOW64\Cboibm32.exe
        
        C:\Windows\system32\Cboibm32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Cfjeckpj.exe
        
        C:\Windows\system32\Cfjeckpj.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5288
        
        C:\Windows\SysWOW64\Cemeoh32.exe
        
        C:\Windows\system32\Cemeoh32.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Ciiaogon.exe
        
        C:\Windows\system32\Ciiaogon.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\Cmdmpe32.exe
        
        C:\Windows\system32\Cmdmpe32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5416
        
        C:\Windows\SysWOW64\Cpcila32.exe
        
        C:\Windows\system32\Cpcila32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5456
        
        C:\Windows\SysWOW64\Cdnelpod.exe
        
        C:\Windows\system32\Cdnelpod.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5496
        
        C:\Windows\SysWOW64\Cbaehl32.exe
        
        C:\Windows\system32\Cbaehl32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5536
        
        C:\Windows\SysWOW64\Cepadh32.exe
        
        C:\Windows\system32\Cepadh32.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5568
        
        C:\Windows\SysWOW64\Ciknefmk.exe
        
        C:\Windows\system32\Ciknefmk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5608
        
        C:\Windows\SysWOW64\Clijablo.exe
        
        C:\Windows\system32\Clijablo.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:5656
        
        C:\Windows\SysWOW64\Dpefaq32.exe
        
        C:\Windows\system32\Dpefaq32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5688
        
        C:\Windows\SysWOW64\Ddqbbo32.exe
        
        C:\Windows\system32\Ddqbbo32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5736
        
        C:\Windows\SysWOW64\Dfonnk32.exe
        
        C:\Windows\system32\Dfonnk32.exe
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5772
        
        C:\Windows\SysWOW64\Debnjgcp.exe
        
        C:\Windows\system32\Debnjgcp.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:5816
        
        C:\Windows\SysWOW64\Dinjjf32.exe
        
        C:\Windows\system32\Dinjjf32.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\Dmifkecb.exe
        
        C:\Windows\system32\Dmifkecb.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:5896
        
        C:\Windows\SysWOW64\Dpgbgpbe.exe
        
        C:\Windows\system32\Dpgbgpbe.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5936
        
        C:\Windows\SysWOW64\Ddcogo32.exe
        
        C:\Windows\system32\Ddcogo32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\Dbfoclai.exe
        
        C:\Windows\system32\Dbfoclai.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6016
        
        C:\Windows\SysWOW64\Dedkogqm.exe
        
        C:\Windows\system32\Dedkogqm.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6052
        
        C:\Windows\SysWOW64\Dmkcpdao.exe
        
        C:\Windows\system32\Dmkcpdao.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:6096
        
        C:\Windows\SysWOW64\Dlncla32.exe
        
        C:\Windows\system32\Dlncla32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:6136
        
        C:\Windows\SysWOW64\Dpjompqc.exe
        
        C:\Windows\system32\Dpjompqc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Dbhlikpf.exe
        
        C:\Windows\system32\Dbhlikpf.exe
        74⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\Dgdgijhp.exe
        
        C:\Windows\system32\Dgdgijhp.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:3668
        
        C:\Windows\SysWOW64\Dibdeegc.exe
        
        C:\Windows\system32\Dibdeegc.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3904
        
        C:\Windows\SysWOW64\Dmnpfd32.exe
        
        C:\Windows\system32\Dmnpfd32.exe
        77⤵
        Drops file in System32 directory
        
        PID:4032
        
        C:\Windows\SysWOW64\Dpllbp32.exe
        
        C:\Windows\system32\Dpllbp32.exe
        78⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Ddhhbngi.exe
        
        C:\Windows\system32\Ddhhbngi.exe
        79⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Dbkhnk32.exe
        
        C:\Windows\system32\Dbkhnk32.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 412
        81⤵
        Program crash
        
        PID:5436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3948 -ip 3948
1⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:5764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acgfec32.exe

Filesize
80KB

MD5
1c475920faaa3d9f41dc4a29fee49a23

SHA1
541d314ad4622008599fa965abffe4a5859a7101

SHA256
015e45bca4ed21b430fcd54169bc267362bb1b3490b35998fb047a815836201c

SHA512
21167c017c73bef564a01fac4bf2dad7c4c96b2e1929f9ee55710bfaac1f59dfb81240244c163f71dc1a16ade7c58f403e8413b173a49ac387b1defbd9c7c75b

Download Submit
C:\Windows\SysWOW64\Afceko32.exe

Filesize
80KB

MD5
56ec06ca3186942dfc37cd9da66b630d

SHA1
c754e5505d7c642cdc63685cb7286d145eeb3c57

SHA256
643d46773a1dba3733d38883247af80bcfcb17065071175f515abb292434e904

SHA512
eccfb30c54cd703c7ae10de820b3e3a5552e27912144c97e052c46923626d89aba6b4b11e4ad798791a58a6c5e11b2499422d10d294de55c5806ba4bd11e6bbf

Download Submit
C:\Windows\SysWOW64\Afqifo32.exe

Filesize
80KB

MD5
160f30e7e7872eab53b46a9ef6529b25

SHA1
27ccbc5980a7751b8708da8e4602ad5cf9e56115

SHA256
9a3eeb029e09adcf853be1e9f6aa8d39570d0c2ddb2ec15585fb620651190644

SHA512
6c06e275d257f5a2c26464a6e6cae76e90fca589c899c6fb4e3189c20450d45c4e58e08fe1a3710ca603fa95d4bb2ec5b1c6d41809f5a3992e68dce95b4d37c0

Download Submit
C:\Windows\SysWOW64\Aiabhj32.exe

Filesize
80KB

MD5
047d6a72d3f5fbb731bfccfd243e12ae

SHA1
d2f4bfa0dde388efddf5c6a4c42c469b734b0c0c

SHA256
66e20424c6aa7df1d1724e7bf2d63f4392d0ce9f26e2b4965fae327c52d63814

SHA512
7ebf6665f4fc2ab3b77ae6c7e4c7d432418438acee261b81b90936ff537fc00d22b56ee556b0598926a85fa8e7a4f4dedf21fd31ef09007d0e10278d13780849

Download Submit
C:\Windows\SysWOW64\Aidomjaf.exe

Filesize
80KB

MD5
1a1d95da39ac4d6e6df23d9fc90ccaf0

SHA1
4bd99a2574e4270e4877937740d9ad7bc3e1e4a2

SHA256
d8cd3e2704ff3dfe304ecf5fb897943a625ce6be7be1c1a8657764dc7a24031d

SHA512
a9917086d2fe89ac342751ecbb74db0ef92a9be18ee6a267f95f9d539d090e311f1ad828e6730b6a4d79f6758ef1d6b98885c7870867e578f626717d957f37e7

Download Submit
C:\Windows\SysWOW64\Amkabind.exe

Filesize
80KB

MD5
e15cb030739846ac5d02e3e2e895eab3

SHA1
df301146dba86957b21fd8cd43b6d21ef579886d

SHA256
2aac6ee7ba6ff20d24f5e9126534f02ad59bb880db81ca9a563f7ac4d11f8305

SHA512
f7d062d9fdefb9343c02937fab2303b4001fe92c2a524e40c4445af3dd5c582ccb34db37d7954e20879f478cb2e18466d4be80c4a7679cdbadc7bea5bbf3217a

Download Submit
C:\Windows\SysWOW64\Apngjd32.exe

Filesize
80KB

MD5
fa8ce54299eb0e4c0274f472b3c22b48

SHA1
1d8dada3aca0759337fea5672e22989356b8d04d

SHA256
5987882bb9d73d44e4b9b719d21a878c887de5850258d60ae419f26d497b3df0

SHA512
6a5953e05f56d63abd6ce14ffd8727f8d94aefeccf7d2346b2aa46f9961d0b91d7ab4c50b1e8ad4e21a2701fdf5868f4b19b96eaf70373a6698df7cfef6bf26d

Download Submit
C:\Windows\SysWOW64\Bbalaoda.exe

Filesize
80KB

MD5
a2d9c7a1c02aa46bb659e5cfca700478

SHA1
59d060af535ef8a5b5f58144ed7b5317fedc3c47

SHA256
b80719380e002748735b16d995f8a61732dd4ecc1ff3b3e8104e7e4d647fe03a

SHA512
1726c474e5df820d816e33bff12edbedb2d301c5bc58a5e1f78a5b217827bf7d16e9e2f534597282d64ee55a6512acb4f702b0c241ff6055a3375bbed33d8d0f

Download Submit
C:\Windows\SysWOW64\Bbcignbo.exe

Filesize
80KB

MD5
fda1ac694b8f74ff187610bfaa1fce3c

SHA1
671a18a9971ee719a107ae13e0c37204b5dca80a

SHA256
d9070bddab03ddb175eb235ea71fe89a7a5a4a7ae48699bdf0d47b94b358d5bb

SHA512
bde9845ded40d503fdf4aca68d7abd09236ef95f3db3dab4c7f2ac12a571296215d579dd9bc871bc7c23065bdc15b8f5ae8c6617069aa0db80bf019392e56714

Download Submit
C:\Windows\SysWOW64\Bbefln32.exe

Filesize
80KB

MD5
6fef38abed0d61a93646203a04c42d52

SHA1
ad31d029b6f743cc7320e7e14a112a5b41ea5f37

SHA256
007033fe0317215c30c0654d48a2739629aa863b8066460e376f6f9fb98b75c5

SHA512
1d41937dd52751c68d2fc80cca00cfcb3f7a97f330ab7398de2c71117fb3283fba0d9ec829d502b5a9fa95d15dc23bc8a9f7efd638f06f931b33b43e0d9189e6

Download Submit
C:\Windows\SysWOW64\Bboplo32.exe

Filesize
80KB

MD5
aa55502cc2131eaa255b1d4f89fd9b69

SHA1
79ecb97c8bdae81af4b6d69fb1862811b2b75df0

SHA256
748b54fb6834f120bd1941b2675aec2ee10c359645025d55cd2ad2877251b1d0

SHA512
9ccfdad49cd25a5cd2181c2795bbf0d454da5f5378d0f78f5ba6de2590b55aecb2dd00625089e9051721b094ae45d112734d9407cd0eea0c43591467530b466e

Download Submit
C:\Windows\SysWOW64\Beaecjab.exe

Filesize
80KB

MD5
f309e0a4e556f3c34dc3c361a59d35d4

SHA1
a23d645b8c3a758eec8048a1fb2701809cbcd210

SHA256
a80d1eeaad4bf25b671af9d676f89e52b537edea3f866a58b8947831c16e3012

SHA512
a06eef00651ea375f944b7d4828c02591acb9f708aaf93d4d064c1664fb688aae5bf8fd9ab3ec5653d59a1189fcfa9b7d4b9c305a88526ef2af951035e6da7d5

Download Submit
C:\Windows\SysWOW64\Bedbhi32.exe

Filesize
80KB

MD5
d89a989ee1be2a1856b01b79c9a6ef1f

SHA1
98b8bf0fc40e654f3de96774dc4b259174caf5c9

SHA256
2ce9dfb598b60a6d073bf2d5f60a611d42ecf6623e3e84f8fc86f710a04e9786

SHA512
f7660ef90df8bd1c4c934c8f24cbd5d3fe6bf06af0b5396f928836a2f9ba4981db001207c1fe5aa0e1dff8c99f321eef3cd04536981678befae3020989dcdca4

Download Submit
C:\Windows\SysWOW64\Bejobk32.exe

Filesize
80KB

MD5
1507eba814bfb7688a0b4b409ede70ee

SHA1
cd27fcd8b2d4571e0362e7f6e0c8e643ddfb0d7e

SHA256
c803fafcb5679b6e8d7744e9a48fc47a09c43f1be5752d396d09f459e4212e00

SHA512
285b595329191709223bfbbeb854131654ae16007e6cedacfa8afca866ce3d3f15e12b809d66da7ee24ac4587e6ab2ff0d0c2e1ad42d412b05f25e3594d108e5

Download Submit
C:\Windows\SysWOW64\Bemlhj32.exe

Filesize
80KB

MD5
0cea49e3818832de4b511352dda1d633

SHA1
73ed9db2ec8fa70e46a7bf3c2dd3d9267ae1fa5f

SHA256
04437ffc6f630156778f6b9718793b3e21b42f901ea622c324ed8120fc0ec7aa

SHA512
ed98a1c480ef0d3eaa56c9ba2218981aa8479d784e27741f871179ac24894e35447eec6da33472d6a9fa5ea2167edf11bfa04061aa68d8a5c56c5dced99507dd

Download Submit
C:\Windows\SysWOW64\Beoimjce.exe

Filesize
80KB

MD5
1da6f8c6bedfe89eeabe4dfc27e42abf

SHA1
4faad87055074715d3e43b9e65774f418d57552b

SHA256
a1c3bfc885572499da25cf22fbdd22e3c437e0c2269c4c3d19b600987b099e83

SHA512
6196382b6531326c49e62f0a36d2d36bf92fd6c57c975d7b4901a913921a09b44b4ab83945128fcea6f97aa1a8f66b1b27fdf33ae16889c93fc433a99a58b8d1

Download Submit
C:\Windows\SysWOW64\Bfabmmhe.exe

Filesize
80KB

MD5
91061272bca6a3f84aaebc7be89a3b71

SHA1
9508f1b600ac20cb5dbbfe6c4718adbd36224d70

SHA256
180507f306aed9fa483967615b9be6fa0acdf1ce98579a1e038d008238329965

SHA512
a6232df341fcca67635adf978f86a1adda733631465a815a2e5e3284e39577c09ecc403519bdb6000f0d43787b78293eae3d0e0e76845eedef4cb74c0082cce6

Download Submit
C:\Windows\SysWOW64\Bfoegm32.exe

Filesize
80KB

MD5
82f252d9f87c325efac7f7cda6c9f5e4

SHA1
c1d4def2e52f3166acb6693f53854353c98f699c

SHA256
961a48311296004bf5d36d7a9d5a5b9f42226e7acfb2f8a2c39a61b9ed0d8a56

SHA512
6706a115b551ac1d9480186471ff27651b083285a5909eee347b3f296c7ee4cb07d2d33bc27da62639b76fe315ec2fba34b29527a74f1f0c9a575978c63cc71f

Download Submit
C:\Windows\SysWOW64\Bldgoeog.exe

Filesize
80KB

MD5
3d7cab8eaf8f1fa25a066627ec28ba3b

SHA1
f66c694f379c0c75687bdaba77b16d06d8c259a2

SHA256
d036e13a911378387500d3589e0c321179caa983245bc7494642c9f130ea35e5

SHA512
f1acc96dd3dea8bccb330d011aab89a0556d9c6e43604380e9f25c8f8cfc2ad69efe8a6aec9d0024fbf8a6cd6924f1f99ee73c4d2b4b1edc25e0765fe88b37ae

Download Submit
C:\Windows\SysWOW64\Bliajd32.exe

Filesize
80KB

MD5
7f7a8567f37ad5ba30d86725dc027d26

SHA1
43a4b42c9383c52c0b079ab4bb3ed235c2633527

SHA256
2fc5b54d57593ec19f6998e9386cba32eb93479bd44b3287fda237fa1c814123

SHA512
380c273b264bb67f9764f7129d2e47132b2e1741f1cc6ed3a0b42a4138a0c4d1ae1645135b406135cd13ddaa2eb2697443d4672825b673438d8fe74cd9d21421

Download Submit
C:\Windows\SysWOW64\Blknpdho.exe

Filesize
80KB

MD5
4072e7d6b9d920c30959ba76fd736b80

SHA1
915b79cec46e751813e9630a982cf9f92183958f

SHA256
e3dd18a479dbd46bb81e5d5c298dc154f4faf67e9dd4e9057f73dd224ac3a520

SHA512
5a053918411e5102cab3347e14a6154052455e4ce1d6b6cffe82c751c190dda156553bc2266cb4f74a03668662f9648a55b4c8abdd2d7f9c0c96bcfb14fb8829

Download Submit
C:\Windows\SysWOW64\Bmddihfj.exe

Filesize
80KB

MD5
fe0d7444492b6309e2d4c4df6d00563c

SHA1
88179b2e63dd497a9c2176acf261f05948dbda52

SHA256
2673153dbe1d26c40cbced8ae8b79697c0d5b5435bad57124c50ed162961497e

SHA512
b327c2e50b86d18ddcf29ed57350746c096428093f5e3f6ed85c14f18cf83e554b5f50df04ba96e324aed5a08a07a5c13696e8730a96a57b644128fc9ebf994d

Download Submit
C:\Windows\SysWOW64\Bmfqngcg.exe

Filesize
80KB

MD5
201d2bd182f21bc04553642d90064c75

SHA1
0d2c8dcf2523a5b7d3e410ac14a2ac8300835d28

SHA256
0270e1c1fcd41eb40a62e4583176fd81a6867209f8f2ae5d3ecf241c2f95f20e

SHA512
831fd257b903114be7e450b93e1bfa2a1b1d6c7b3e7311b56caec2b9372a08f13d89b3b8d0a0c201faa90d52da6ccab97b9c139ba1bc5f96f70fe7b4c7c856f1

Download Submit
C:\Windows\SysWOW64\Bmimdg32.exe

Filesize
80KB

MD5
4cef13a3e23e158785b3c44dce2a7060

SHA1
b59291ccdef57ba01af70d7eb1dc2bbb9b788e41

SHA256
7d2f90adad4cf5f3a2c9fd66b62b537d07a79e3eda791eb564157cb3f7a2c4e8

SHA512
92b88a93d7ecbbefb7c8a1716f9496bf22a512e6af66d57257455e6b0cf43c69354bec1c7371edef8acf4bcbdb96f133dec3fa6015e3449d12eec92aa7f66586

Download Submit
C:\Windows\SysWOW64\Bmkjig32.exe

Filesize
80KB

MD5
0f8c40a0df1a64430a4e4938691d9a3d

SHA1
41c296a24fc361de8e1fd9b5ae3fe347bdee0fea

SHA256
30278b6d8cf1b14b39a5f731a4c7a6775309cd082fd0190840127abc659b8cea

SHA512
2445b5d22b1e5ac96d5e77502e345037d15d0a0ed490075f42240dcd19636f6a4abc13d95fc6bc8ac8fe2aa5588c860255a6d7b960c64d60465b0c9f431cc14e

Download Submit
C:\Windows\SysWOW64\Bpbpecen.exe

Filesize
80KB

MD5
820b9c1fae273bb04ecf9105f6f6601c

SHA1
a83c6d9c6ec92c7209bc2b6340e88a712d5d56af

SHA256
ab724886f7c197186eba9646fb694f170de4a23a6353e2ddb35b5c20ac7e690d

SHA512
41225506a12d63b6e6f8e4fcd2b595517c6f637be59c42536d8c2544d06b6f0b69e43f402cb59e9e834112d0a275c4c50a879ecc3e2a2a4a910d984cc6c142df

Download Submit
C:\Windows\SysWOW64\Bpemkcck.exe

Filesize
80KB

MD5
9cd0748acfac850927b47a1159a66ee2

SHA1
db0a188288471031fd7f766501dac7eda7c71ca8

SHA256
68a18bd49142d58cc22790862f20601eab741311306c434033e5e28d284ef284

SHA512
6c60139c69bb7c1d05d82ce4c238db8c5f4fb62646ed603e6a997ab12a9649dba50777cca3ac65c0820a1b205e12d4a69811946fb7d477fa190f333af8948260

Download Submit
C:\Windows\SysWOW64\Bpgjpb32.exe

Filesize
80KB

MD5
709806c68908544b8a89570a9a73ddce

SHA1
293591fe9ba2f7a429d1debe71291307869da00e

SHA256
d220acfa096c645da9b7f5d26445de2b81d60823c70fd5b79617b74460bf7c9b

SHA512
1c17a34bba6cddf9442346e5dd72ca5c07d4346c4b6bf8d85c8321e1fb9bf535a57fd685168181a5710df2e65c79ca74bb6637765119ed972ee8d4bec9d867b7

Download Submit
C:\Windows\SysWOW64\Cbhbbn32.exe

Filesize
80KB

MD5
75aa6246c297643bc1ed48f1da6f753d

SHA1
9de8f1d8f169973e6677e4ca1b762a48a69d5174

SHA256
8e46e2a0d9c0f6db171b21f82a955df3f0fe4052addf95e595dbabd86ce7a589

SHA512
d33bf9deb529a5309c2e0a1cb7dd3d20e31aa2d3a1a9310b44ec63a84535d13e9c08650993d407d473c903c76c739788ce5ce53ad9716bcf9d0341a8e8859117

Download Submit
C:\Windows\SysWOW64\Cdebfago.exe

Filesize
80KB

MD5
3a751d39a5e929ef50674f69f598e4ed

SHA1
772db71280f74afaba701527cc288df003939f9e

SHA256
aca1c55aff131e7b3a26eefd0f9cc677bc61053817625b9c4c7ab765e395336d

SHA512
296a8b81e3db2380223b5b592405fa6923c9c41a5893efe799f65bcbf48165827c64ebeded1a41ed1d07004de9ce7aed81a7014d2c6243d6fdcca9dd9f475472

Download Submit
C:\Windows\SysWOW64\Cfcoblfb.exe

Filesize
80KB

MD5
908ecdc35a50c174dd45e1d96ba0de07

SHA1
0abb023171ae2fc7a1178b77f7dd9b508878403e

SHA256
f022d4e8009f4ab1a76c3ba63119025b40a4b1067698bf1e8d55391e0aed4a72

SHA512
8e84589423539ac3c8e3b0fbb460c31c62f9d763ab136b32a1a04422cacf1bb1adf9cae90cd58ab134d699ac867c41b2ebff1ab1467819d5a41cdfde63ef3768

Download Submit
C:\Windows\SysWOW64\Cpifeb32.exe

Filesize
80KB

MD5
8e394ee191067a89d60495ec483bc7bd

SHA1
b6eb88af0071e12f7e69788e8ad9b98947e973ab

SHA256
8b9739a887f13edc9e054c3cf861dcc2af7a37253689d602b012e36ec4078814

SHA512
43933aff92823ecaf2200eecbdb2e37b9ce635a31c5590688bbc9ea413bed42b66b18a0d0de9e726349905b5049b44fb51353c984654bdb97c6033fcedb97e64

Download Submit
C:\Windows\SysWOW64\Obkcmi32.dll

Filesize
7KB

MD5
1391213573847f62c767a3392e771d17

SHA1
7ff00d32f06e25f776eabf33f66da2ee06bac62f

SHA256
7772231beadee760afccd7db9127cb857096ed6b27102a6b74e019c415848c00

SHA512
9ed9ea92ea5841b7e4a4eb1a2d3d0917948bdf196280cead8c099ac40b3d258947d6c6ff1dc5b83182643c716549f86748ae896338fba859e7db93fbfb60f5b0

Download Submit
memory/348-155-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/348-55-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/720-156-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/788-512-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1004-326-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1180-103-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-164-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1332-63-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1476-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1664-183-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1744-200-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1916-165-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1988-542-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2056-15-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2056-106-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2208-129-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2356-278-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2368-79-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-137-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2424-39-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2468-232-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2508-320-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2700-23-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-92-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2876-8-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2880-174-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-191-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2908-105-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3032-216-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3204-548-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-182-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3212-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3248-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3448-290-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3476-332-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3608-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3608-128-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3624-272-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3668-524-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3768-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3848-146-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3848-47-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3872-120-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3904-530-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3948-550-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4032-536-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4044-308-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4268-192-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4284-344-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4296-350-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4440-224-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4488-109-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4532-256-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4556-138-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4608-518-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4708-296-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4736-284-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-71-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4756-173-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4792-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/4808-248-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5024-147-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5040-264-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5076-208-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5136-356-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5176-362-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5216-368-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5248-374-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5288-380-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5328-386-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5376-392-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5416-398-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5456-404-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5496-410-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5536-416-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5568-422-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5608-428-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5656-434-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5688-440-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5736-446-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5772-452-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5816-458-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5856-464-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5896-470-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5936-476-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/5968-482-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6016-488-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6052-494-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6096-500-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/6136-506-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads