41ddd44c05643f6546966abeb1ab259d2336daedd558d5a58dfc36afb85273a4

Analysis

max time kernel
107s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 15:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b8dafdad9cd1dfcf398262fa37ac5e90N.exe
Size

93KB
MD5

b8dafdad9cd1dfcf398262fa37ac5e90
SHA1

54a250f14aa4a2d09df454ca1c16167692e43c45
SHA256

41ddd44c05643f6546966abeb1ab259d2336daedd558d5a58dfc36afb85273a4
SHA512

505cfeb9e4547f0e6e549f1c486a6f2cd10485e28702d30e833dadd5e1509633bf55579c82329204caa7784469da5db03cb86145a8567b41722623908027279e
SSDEEP

1536:5759UfOibAHw1ODagK0bhxrjYeKpWSUGVnbcRaQz/asbKLwcTaijiwg58:RojbAOOD7VKwSU4nbcRnD/2LwcHY58

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	b8dafdad9cd1dfcf398262fa37ac5e90N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeiofcji.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ceehho32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agoabn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceehho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe

Executes dropped EXE 61 IoCs

pid	Process
2332	Acjclpcf.exe
3560	Afhohlbj.exe
3152	Anogiicl.exe
784	Aeiofcji.exe
2560	Afjlnk32.exe
3500	Amddjegd.exe
2872	Acnlgp32.exe
4576	Ajhddjfn.exe
2708	Amgapeea.exe
4564	Aeniabfd.exe
1092	Aglemn32.exe
1056	Anfmjhmd.exe
2364	Aminee32.exe
3796	Agoabn32.exe
4248	Bjmnoi32.exe
4688	Bebblb32.exe
2388	Bfdodjhm.exe
3832	Baicac32.exe
1704	Bffkij32.exe
4080	Bnmcjg32.exe
3420	Bcjlcn32.exe
3872	Bjddphlq.exe
4168	Bmbplc32.exe
5044	Bclhhnca.exe
5092	Bfkedibe.exe
1064	Bapiabak.exe
4436	Bcoenmao.exe
4448	Cjinkg32.exe
4308	Cmgjgcgo.exe
4616	Cenahpha.exe
1376	Cfpnph32.exe
4948	Cjkjpgfi.exe
728	Caebma32.exe
1552	Ceqnmpfo.exe
752	Cfbkeh32.exe
4472	Cmlcbbcj.exe
1960	Cagobalc.exe
1596	Cdfkolkf.exe
3124	Cfdhkhjj.exe
2352	Cmnpgb32.exe
644	Ceehho32.exe
2144	Chcddk32.exe
2540	Cjbpaf32.exe
1436	Cmqmma32.exe
4816	Ddjejl32.exe
4132	Dfiafg32.exe
3428	Dopigd32.exe
1724	Dejacond.exe
2088	Dhhnpjmh.exe
3776	Djgjlelk.exe
2152	Dmefhako.exe
4588	Delnin32.exe
2108	Dhkjej32.exe
1472	Dfnjafap.exe
3812	Dmgbnq32.exe
2220	Deokon32.exe
1788	Dhmgki32.exe
1124	Dkkcge32.exe
4988	Dmjocp32.exe
2932	Dddhpjof.exe
4544	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Maghgl32.dll	Amddjegd.exe
File created	C:\Windows\SysWOW64\Ljbncc32.dll	Aglemn32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Caebma32.exe
File created	C:\Windows\SysWOW64\Ceehho32.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Kboeke32.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Amddjegd.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Olfdahne.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Ihidnp32.dll	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Amddjegd.exe	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Bnmcjg32.exe
File opened for modification	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Jmmmebhb.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aeniabfd.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Dqfhilhd.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Fpnnia32.dll	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Chcddk32.exe	Ceehho32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Glbandkm.dll	Bebblb32.exe
File opened for modification	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cjbpaf32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Aglemn32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Hcjccj32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Hmcjlfqa.dll	b8dafdad9cd1dfcf398262fa37ac5e90N.exe
File created	C:\Windows\SysWOW64\Mbpfgbfp.dll	Afjlnk32.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1068	4544	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8dafdad9cd1dfcf398262fa37ac5e90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceehho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Caebma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jekpanpa.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Afjlnk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmjgool.dll"	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	b8dafdad9cd1dfcf398262fa37ac5e90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Deokon32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdlbjng.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2332	2160	b8dafdad9cd1dfcf398262fa37ac5e90N.exe	84
PID 2160 wrote to memory of 2332	2160	b8dafdad9cd1dfcf398262fa37ac5e90N.exe	84
PID 2160 wrote to memory of 2332	2160	b8dafdad9cd1dfcf398262fa37ac5e90N.exe	84
PID 2332 wrote to memory of 3560	2332	Acjclpcf.exe	85
PID 2332 wrote to memory of 3560	2332	Acjclpcf.exe	85
PID 2332 wrote to memory of 3560	2332	Acjclpcf.exe	85
PID 3560 wrote to memory of 3152	3560	Afhohlbj.exe	86
PID 3560 wrote to memory of 3152	3560	Afhohlbj.exe	86
PID 3560 wrote to memory of 3152	3560	Afhohlbj.exe	86
PID 3152 wrote to memory of 784	3152	Anogiicl.exe	87
PID 3152 wrote to memory of 784	3152	Anogiicl.exe	87
PID 3152 wrote to memory of 784	3152	Anogiicl.exe	87
PID 784 wrote to memory of 2560	784	Aeiofcji.exe	88
PID 784 wrote to memory of 2560	784	Aeiofcji.exe	88
PID 784 wrote to memory of 2560	784	Aeiofcji.exe	88
PID 2560 wrote to memory of 3500	2560	Afjlnk32.exe	89
PID 2560 wrote to memory of 3500	2560	Afjlnk32.exe	89
PID 2560 wrote to memory of 3500	2560	Afjlnk32.exe	89
PID 3500 wrote to memory of 2872	3500	Amddjegd.exe	90
PID 3500 wrote to memory of 2872	3500	Amddjegd.exe	90
PID 3500 wrote to memory of 2872	3500	Amddjegd.exe	90
PID 2872 wrote to memory of 4576	2872	Acnlgp32.exe	91
PID 2872 wrote to memory of 4576	2872	Acnlgp32.exe	91
PID 2872 wrote to memory of 4576	2872	Acnlgp32.exe	91
PID 4576 wrote to memory of 2708	4576	Ajhddjfn.exe	92
PID 4576 wrote to memory of 2708	4576	Ajhddjfn.exe	92
PID 4576 wrote to memory of 2708	4576	Ajhddjfn.exe	92
PID 2708 wrote to memory of 4564	2708	Amgapeea.exe	93
PID 2708 wrote to memory of 4564	2708	Amgapeea.exe	93
PID 2708 wrote to memory of 4564	2708	Amgapeea.exe	93
PID 4564 wrote to memory of 1092	4564	Aeniabfd.exe	94
PID 4564 wrote to memory of 1092	4564	Aeniabfd.exe	94
PID 4564 wrote to memory of 1092	4564	Aeniabfd.exe	94
PID 1092 wrote to memory of 1056	1092	Aglemn32.exe	95
PID 1092 wrote to memory of 1056	1092	Aglemn32.exe	95
PID 1092 wrote to memory of 1056	1092	Aglemn32.exe	95
PID 1056 wrote to memory of 2364	1056	Anfmjhmd.exe	96
PID 1056 wrote to memory of 2364	1056	Anfmjhmd.exe	96
PID 1056 wrote to memory of 2364	1056	Anfmjhmd.exe	96
PID 2364 wrote to memory of 3796	2364	Aminee32.exe	98
PID 2364 wrote to memory of 3796	2364	Aminee32.exe	98
PID 2364 wrote to memory of 3796	2364	Aminee32.exe	98
PID 3796 wrote to memory of 4248	3796	Agoabn32.exe	99
PID 3796 wrote to memory of 4248	3796	Agoabn32.exe	99
PID 3796 wrote to memory of 4248	3796	Agoabn32.exe	99
PID 4248 wrote to memory of 4688	4248	Bjmnoi32.exe	100
PID 4248 wrote to memory of 4688	4248	Bjmnoi32.exe	100
PID 4248 wrote to memory of 4688	4248	Bjmnoi32.exe	100
PID 4688 wrote to memory of 2388	4688	Bebblb32.exe	101
PID 4688 wrote to memory of 2388	4688	Bebblb32.exe	101
PID 4688 wrote to memory of 2388	4688	Bebblb32.exe	101
PID 2388 wrote to memory of 3832	2388	Bfdodjhm.exe	103
PID 2388 wrote to memory of 3832	2388	Bfdodjhm.exe	103
PID 2388 wrote to memory of 3832	2388	Bfdodjhm.exe	103
PID 3832 wrote to memory of 1704	3832	Baicac32.exe	104
PID 3832 wrote to memory of 1704	3832	Baicac32.exe	104
PID 3832 wrote to memory of 1704	3832	Baicac32.exe	104
PID 1704 wrote to memory of 4080	1704	Bffkij32.exe	105
PID 1704 wrote to memory of 4080	1704	Bffkij32.exe	105
PID 1704 wrote to memory of 4080	1704	Bffkij32.exe	105
PID 4080 wrote to memory of 3420	4080	Bnmcjg32.exe	107
PID 4080 wrote to memory of 3420	4080	Bnmcjg32.exe	107
PID 4080 wrote to memory of 3420	4080	Bnmcjg32.exe	107
PID 3420 wrote to memory of 3872	3420	Bcjlcn32.exe	108

C:\Users\Admin\AppData\Local\Temp\b8dafdad9cd1dfcf398262fa37ac5e90N.exe
"C:\Users\Admin\AppData\Local\Temp\b8dafdad9cd1dfcf398262fa37ac5e90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\Acjclpcf.exe
  C:\Windows\system32\Acjclpcf.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\Afhohlbj.exe
    C:\Windows\system32\Afhohlbj.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\Anogiicl.exe
      C:\Windows\system32\Anogiicl.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3152
    - - C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:784
      - C:\Windows\SysWOW64\Afjlnk32.exe
        
        C:\Windows\system32\Afjlnk32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3500
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1064
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4308
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4616
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:728
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1596
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3124
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Ceehho32.exe
        
        C:\Windows\system32\Ceehho32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2540
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3428
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3776
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2152
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4588
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2108
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3812
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2220
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1124
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4544
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 416
        63⤵
        Program crash
        
        PID:1068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4544 -ip 4544
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
93KB

MD5
203b599ba01f614a990c96b2ae4b5695

SHA1
097a30a05ecca635f27c812177b2cd121ee88f0f

SHA256
d25b2e8740294abbdc6229dcec486a7c647939f53acb370cbf5abf6359caa646

SHA512
0678763345bf5641ba9fbd0b5e9e3ba9d5a52666e60858ddd0324f057ea160cd2f29629b0ed136cb8fb9bb71349e1e776a9a9fec7f045b1695f9d9d877ca8468

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
93KB

MD5
f0f81467c44aaf07359496bfe63eab7a

SHA1
b488238d3c0c361960ee9a0cf9e957b4d9d4bbbe

SHA256
bceffb07b96862881c6352185615b07d82006b5c6b1fc44424656a2f1d7ad6c3

SHA512
cf5afe51a5e4a7d55aa882d6844ff9863d20cf06ec22a228c459eb530ab0443bbfa6907c279ed7cb89472b5f9d7e9cd6166f71ea61eebe90a13332ed65daf339

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
93KB

MD5
010f0ae05f8ecdda1dbe9d7a2338c025

SHA1
1129c78487c1de8934f3d71220ae67c46975f01d

SHA256
8080a1f8feea07690f0e87dfda80815bfaa3905e16a5bcf2d54807f1de505fc7

SHA512
8861bf338a8e1a3e2974b979e8b54cb7721ccec2e460ab9c84ae0d2ac79474ce1d3166a89e734e21810f4717b9e8a83abc496e149f55dc1ebe09a78a95dc1c1e

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
93KB

MD5
f09565a76f3d5fe47c588988cf77d41f

SHA1
f5c8fc2822bccb9cbb9a144c5218c09003a63740

SHA256
e8f743d79116e79258436b7b01e6c401c2f867b92d47777aeff6af3415c6cbfa

SHA512
99d60df98f73b7d01003d99741db5283ef40293df5095760c88c70e353cfd101914a8ea1267bd2b370a1bc5fc7a226fc5dc1146b477e7725c8b1a63447c26221

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
93KB

MD5
d98e206f6836d1f2c4757f117684fc8a

SHA1
d89066d18eff4a041d3abea32a21fc906e69c2f7

SHA256
cdfa585478f6ff3f155e2065d38cd99ee179c892707d86135733c51dd10a7fa6

SHA512
3a9fc8c086764093879c08f1febb576c276e12805b6dbdfabe316d6686a54f7bf05c5bc711d1cc814a4d011bfce34c20eb8405ac5bcc10b825afc31e3a0ea6df

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
93KB

MD5
0b2922754341312baa16f5627efad209

SHA1
7e764fb87efbd5581f3f4117533c89da3014834f

SHA256
e079c2d45bb5bdaf7d127d69ed3b3ab3b1a9166a8b18403870d073c94f1e671c

SHA512
a4f685f138b801e6da7e010ddad96170c1159d2be57e031839d8a1c3c14ad299f1a0885864e97fed9e6d53a4fa693cfb0c4adade8264fc60d3d07aa209d91eaf

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
93KB

MD5
dada85c1d04ac994d2121cc0aaa7d8ad

SHA1
048135a6a7d2345408f0936e0943ae5de3d8b263

SHA256
71eb2285cdf609ac9d2d6bbc279e63d7d4b5da5155d44656de540f8e4d11cbcb

SHA512
d39450bbd35cbefc9d6ce16731b01bdac2d9501536a5c57bf1f5ec0df43c0fd29c7bcf62bc36b48f06c608340c8fdae1e21e7daba826e67f56c4f58e462b0c98

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
93KB

MD5
733c9534c7f26152261d8e1953d6bea1

SHA1
5beb33ee732af9e60f3066060ef1cf879a62033c

SHA256
739be8b8c1edaa3ce2fab5f4bbcfbfff8baf969208de2339abddcfb818a217e1

SHA512
2de6b1ee3f19cb15f19b3933ab84bdb4aff7e55043e563d1940247f319f633e550d94401c02705bc276d653cfd780a46e732ce0f892e05fcf7a94ff79aa05362

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
93KB

MD5
77209e10ebd4f59ab2ff88d83435bc09

SHA1
4d2f4f496ee1ec7d2f18a0b60cbfd37fb0f84892

SHA256
c5210bbee9df2bbfe97a78a77d44fe064a65a4991af3eee4c212fb7693d9a90c

SHA512
63eb5766fc3cfc37918d10f94e6bb37d8d1104daec8a3e11f8627cfd20d323a10620e58ac7711307e13b8b9aa0ad64693a4e9ea89cc6bf7de92f022f8d88e10f

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
93KB

MD5
923f895d0630513f15c212eed5c39650

SHA1
cb96a1902c40b49305759f0a13c8c59ca7ba7578

SHA256
21ef5f39bae91b32757acacfb7ad910ee882ee926399a274f732c5425a0fef55

SHA512
294cd12973bead36c0d2070e79387cb602c590afd17968c7d5a94791246f48ff2acde3ba50dc86241e708263a67a773e216e14f3b14e26b9850058a2288be0d3

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
93KB

MD5
5677010501f9fafe929784bea10fa463

SHA1
167dfedaaeca9e0367015682d63ff2f52aa813d5

SHA256
e81d370d28042f949a82ddf3f19ddbce004a70c5d881127f6c8c34f904c8cdfd

SHA512
647c821440a7e8115ecb85e462c4b62b472adfa4c9ebf947a091b4d564db0f913c0f8b1e44cfbe41b661fba60ed319ba764bfaedb335f40c9e8235f276b8b6ec

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
93KB

MD5
5fe7c68dcaa667276dac23b229f39a0e

SHA1
67f06aea13e1985a27f843a7a1ec5640be9051a7

SHA256
bf32f040fd56aad758db90d9750062faa0fade56f73aae1413c7087b03c653e3

SHA512
5a38b83261998c2b8c49033043eb8d8760a022174abbf309d046276dbd578d4ef584b1a6c284ed642bc331f9e026492a456e1072ddd58a22416bff059b2f2b90

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
93KB

MD5
f16aede192563e742cf7930f0fd4e17a

SHA1
61ee70a31a0314728682cdd9d3256ffed042d04b

SHA256
19af782c2282599251f2a7843c8f25623a17f2b1b5ddebfc20c96e3451696f8d

SHA512
b3d41135ed7073a7f13c6977d325ac96f150e450825c7fe7f6a5167c3053c360fc04f22c6b2eb4b0385fa8948844499d2cd50845b61edce62f34ea72bf016e38

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
93KB

MD5
21f0cc203c5866dee242910362484b9b

SHA1
b8c35fa73ca16dbe662b313fa1bc20da6c099c5c

SHA256
d999681ccc051270a415de6104747ba01d359998b29ab9ed2278a6ec61f6b55d

SHA512
a70eda59fa5c2680680344550739b30a30a79c899b8b39ed30105208b9e051a4d1d5f0aeaf57728946040453af83d114607c8a0eb46eea9d4e18cbf082d720c1

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
93KB

MD5
a3bc0ed7f820b4364fc287d03c822811

SHA1
db20a22371860fbbb51faa07d8aa903173f6e942

SHA256
7c6161d94b9ed00d79909978c6b9ea94939d43f5e90d931cb274f14ee41981a0

SHA512
df5877881f55d39b4bb5bcf6369bdd8bb254e0fe0909e1f36cfa1c010f244682019165bf50070757b2ca963bb202e0387a79096ba958c63da65d5d5cdfb14c45

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
93KB

MD5
f39286a582a979070811ec6d5b1de71a

SHA1
bf1ed4f240559361ced240771f73901d3e3ff20c

SHA256
166c0e6e8068ecbb346d0fef91f870bb9d75160139aeb67d72379f079909b6d8

SHA512
0d16aa7a237e973c3b535385550be105b071365c4cfeb94eacb159efcbf78360cb617ef888713198b439a953bf7529776a4337dc3844a53a3420b3c7d2684eda

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
93KB

MD5
184f89a8fde81aba59da5ecd9a93c2a6

SHA1
c6f4271c0d53334f66027da29b815411c1ff4951

SHA256
10734d48e8db286a6e1a5c128e2d19471b3ca3afefc53013b5f27a0d6e4f1e43

SHA512
3469bab229cad4fe43308d57a638d6e9758d560dc6e2aa0aa1ed435480b58c5e0a4bc6a2cf554faf5eb979c51449c80ffbc131751bd1ae94b7142a716770b941

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
93KB

MD5
e07c8fe359e7eda34a5ff490ab1c7b6c

SHA1
0f33f168414f9d5096af06b51b79b7f60b874e25

SHA256
d4cd0efe447da5e26cd5ca0d91c2a333734b2e45908081d7384e4690299e1943

SHA512
de934c6a7fab0e4411e1887f3cf8b46944779da422a2ff121ea13e83d0a21c36146efdc2df2db6d294bf037d502fc8315b9708f02028464c6786e8d78a60c5eb

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
93KB

MD5
68c2b7cddbd4146574a9415b266f3620

SHA1
838c2f8808b2264d6e69e63f4916845cd61adfd7

SHA256
5d895ed4daa96006fe38f79df7d0c7a5a1be89ad9dd16d0720a5fad7cf7fbafb

SHA512
616387ef898673523a57565e8a09c10339102b8220d96b3735f7fa711a33a9d9edafe1c65879a2cbe44cc0a1399b03505363039224c2e1c9d2d9b27584ede7e4

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
93KB

MD5
bbae7d667db8ae38dbed744d3c91ffec

SHA1
cf5390209f7296a8baa906f6b1d6eb042f47224d

SHA256
ae3e654ef22d802df174db64cbede8d5ef22dbf944810af137590a9e7666c206

SHA512
4387b2f89f36347bb02e6c4f105839650873a53cc1c432519b872ea148b433820ea1107dc2cdf459cf730d1021fcca78262ad846a9b63cc2f12202b8d5dfc6b8

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
93KB

MD5
56282168f8e5214ca3616948d50ad5f7

SHA1
501ccdfd83572fe8bab0931b47a9e2b855ab7101

SHA256
a8f080f268019f1aaae02a1c433bb40c3df3c467454d9eeb378db686fd798bd5

SHA512
3975365b399179aae89f360b78bf0f3fa7c9e5dc53f9a97bc15c08dbb35e037c008149577b82a9c8cbd89d99098254c23de972a20de1ed2ac09a02910e5cf9c9

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
93KB

MD5
d016fc624506f03c73dc02794ddac156

SHA1
27da0efec4db77931b6bd1d3c9cdea061c5fa853

SHA256
55c210a6cef8026ad9474615d0600cccdb24eeed56e6a675cf3255a8129a3b80

SHA512
cf9e0368e10d76f6837bff2c31731c1616385a9fc0663e24a730ecf6fd66a96dba0a1975032be1dedd276d03232c239358b2b318d419475a8a3f6d07230e06a0

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
93KB

MD5
958f63257ece13931daecefb45554aff

SHA1
781ad8eb220b8bd65d9ec84f96240f86f9d186f1

SHA256
767f7983c7c501eab93063e0c356fe39977627c360a6b4e61478cf4ef78112b1

SHA512
06caa72df0479c5c883c98d4b830047820f6d323d3c5a05a1396f0931498b184ec2a053220ac903ced94742e66926fde5b2eab5c3179a62a4cbfc6ea38748380

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
93KB

MD5
4f903492f0308372351b8f90d09966b3

SHA1
e5cd394d5cefff1bffab3e35f26dfd851ab1a4a2

SHA256
5a8323a7ca218eb5c4e87cd06a52a7bc0dab3d97aa03f527ed5c9e7b71581f4e

SHA512
f63d4186fe4df7e7e76cf01f5c482ff0da3bd26655e3f212f613d0c896829935282abf1cf1080ef3ff62255878ed23e5fbfa0dbeba9e29931d2acdbfdbbba1fa

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
93KB

MD5
a6a72d56f88e29822d6c9d9b03ceecfc

SHA1
875d2e5bc98b5a1d17bed113b06f0a35dc437ef1

SHA256
750149fd51014481dc0d85538333b406adf5586ec12028b17a5ab8d78135570d

SHA512
652409a839ed1cdb81e0945c85c360eb84eddfdd4227d10068fc76f0b5182bfe29e475c735238e3349eda42bd6f46ce7fb0246044ecb2244d3be542e82dadc36

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
93KB

MD5
22c250684c0175da525cf021a7788f22

SHA1
9088da5ee6c392df9c376f53c7d3796267269e0c

SHA256
840f81783a4b4e7c902e097d24686f57b275dc88a53319b87350fe04eebb983c

SHA512
3bdf9d8f180570a989b47556672ce2bf40b0e1a3eb010553468c19598b8bf0c9a5a815d7c6d8f042fa5aaf7b4c5de73a54e147e3846e60bd6bad3ab9eb8165f9

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
93KB

MD5
ccb9feed59fb94d32708b8a7020c5ffe

SHA1
6649bf0aa7ce044dba6d7cd66b87e25f0d08aaca

SHA256
3cb0beb75e6d5fe2161621e8bc60fe8b12748de691809954b6a75e55353aca02

SHA512
d57ff847c0971da751c4958f500d4f9c91449940b7894e2645cf31e1fe291bde3ec702690a4ddf44d3ce30ddcfeac6d89771684d7ad57795fb89666092684c70

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
93KB

MD5
ff672314e675715a2e2d62db313a8474

SHA1
e5042829c980131abda4c67f702c22d043684ba6

SHA256
8c43ed1a3c3e6c3786ef1b7ba5da1ec6f8155bc68d7a29707b0bef5453ea14d9

SHA512
5da31d380ab022f26b554a9567787bccf616ba82893bf82728423668bee3b8373790722244a42ddb1e78038debe686c57171ddb172a3873988f0bdf509eb7d99

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
93KB

MD5
9d4ec22cb2bc07587c974dd98ca55a17

SHA1
4dc9abd9a5f8c166d94f2b0c78acabea0477b96f

SHA256
7e83588082022300a7d8f2e6fca4499e82a92b45805de7fed98dc003d1343dec

SHA512
29110ed6d6d588c9fa73889ff4d1d5bd544bddd9996d92b5ca5507de297156d1a56dfc1e5c7999c810ccd85f25183476547057ab7d16baaa87846f2e6c8cbca1

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
93KB

MD5
92158d9efbbeed5b5ca240b4ba4a63e5

SHA1
ca5a4ed3cb97383a6ab7670a6ccea25cdba3ccef

SHA256
3654def04faa01ccd53f6b83d9627fcf7c2ac3915f42b12c3503a6e435210df4

SHA512
925be46d5f55190d4345f8d63d71807f3e1974b83895358fc3e3fe69bcd63f041671385155f43d20c97235cbdb186ce71ca851ef4645b6f1920fc2a032b6153b

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
93KB

MD5
ec48e9507ed5ce0a87c7cd2ad0fb0eb4

SHA1
31682b85b25d8476c853dbaabaac995fcd3dc59e

SHA256
adf71ecea3e458ac88e222836466a3466e23e91aa714b363933d63b9f276e6f5

SHA512
72532ef409e010c36c72ab5eb1148fe67b0436c3941699fa80fa10c334544b4fffb4edd5b6323148417502b86ac26395245fda7dba66810a55ed224915f71925

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
93KB

MD5
5e37f0d0dd88f47dd8ea694f3ec10cf5

SHA1
421ee23c4a49379e7fdc9e395c77234166817231

SHA256
09a6425a74a9d8fd18579cea847dc95f0756c670621e7f956ca3909ae6dd13ed

SHA512
030a5f18fdec939739bd85d049657df2ec1b81eefbabc93c91a18f43f9a512e384326917d233d5fbc19ec7e002834d63a1968de90cc67142e1fb6134ddaf500d

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
93KB

MD5
4beb383d21ec467e4303faf935de5a25

SHA1
0d1f83d9665d145b0a1c351f39d0965fa726429a

SHA256
22c19742a97cf1c08bf93e24e62801d225762003350b90d4d363a5dd27ecfe21

SHA512
df63f0e428430b4b0089b5409ccee626fbb967ea1edb587bf8b4685a51362b67f55136ee2ccf751f83b3747df5ac96148d192c5957950e35b484f13d383fa41d

Download Submit
C:\Windows\SysWOW64\Ddjejl32.exe

Filesize
93KB

MD5
55c4750773c8dbee0f50866b98f93e8f

SHA1
26125b84acaae69809091521890408611339b44e

SHA256
e9d805a568af9e103ed2c0559825547ccbd8a8a1f7ef6ae0dd9fda5f0651bf2d

SHA512
48aa7b635fdc65db737d2b919220e57ef90cdb18402bd4f5cb10727e4af7a637f3dc9837443ab0dc2441e5c580f35661dd20b9530a2745f83309a235a7706ef0

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
93KB

MD5
5ce75be796aa20c0a529cc53e5a05594

SHA1
e3b62732e8809989986b173d908060d8d7c04933

SHA256
59f2127844fa1c98229be4c436e52438adbbdc7959f282eb681d68d4dd82f81a

SHA512
beb30cd8fd4b079ade5e2b04dd1087b7ecbae83959492e61eada11bd7246b6be1dbacd959e41e4eb72d2f5956f81815f2e528a25a4ba59898c643666542e2767

Download Submit
C:\Windows\SysWOW64\Dopigd32.exe

Filesize
93KB

MD5
2fc32855660e303897e5df2e99a97151

SHA1
f319ad4ad4b25326ddeec9ac921df61080909414

SHA256
2b585e579025ffe80dacd23b4c09ebbe27c345d065c4ff221c9fe4462dd70a02

SHA512
177eece3e3431e1118031200b0391a0bf500662f56e75d7326a518fd995cf343da871706bfb3149d4e0c42c941823ed479c290314fb5f24b20af072a1e0395e1

Download Submit
C:\Windows\SysWOW64\Jmmmebhb.dll

Filesize
7KB

MD5
ebef84e1508fdf51c34ce4abfb866d63

SHA1
4d39bdc39dfd2474d619bb6cc172fbc283a3ed7d

SHA256
1a34beffb2345465979b73f9ebe17beba78f9505cb414ea5dd0c4d0f0bc56bf5

SHA512
238ce1f768b12c6379ca46faf98ff9b5aa926787124f69ce45d66a254c34424b7283da84db6fffb4a0a301cde2b6f0a4e09e91165b58a63902b8fb41f44657c6

Download Submit
memory/644-310-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/644-451-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/728-266-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-274-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/752-457-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/784-31-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1056-96-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1064-207-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1092-87-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-433-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1124-412-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-248-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1376-460-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-328-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-448-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-388-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1472-438-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-268-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1552-458-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-296-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1596-454-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1704-151-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-352-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1724-444-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1788-406-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1788-435-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1960-455-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1960-286-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-443-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2088-358-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-439-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2108-382-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-316-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2144-450-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-441-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2152-370-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2160-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-400-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2220-436-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2332-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-304-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2352-452-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2364-104-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2388-135-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-322-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2540-449-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2560-39-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2708-71-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2872-56-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-432-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2932-424-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3124-453-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3124-298-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3152-23-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3420-167-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-346-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3428-445-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3500-47-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3560-16-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3776-364-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3776-442-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3796-112-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-437-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3812-394-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3832-143-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3872-175-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4080-159-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4132-446-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4132-340-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4168-183-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4248-119-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4308-462-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4308-231-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-215-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4436-464-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-463-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4448-223-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-280-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4472-456-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4544-431-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4544-430-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4564-80-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4576-63-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-440-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4588-376-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-461-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4616-239-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4688-127-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-447-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4816-334-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-459-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4948-255-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-418-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4988-434-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5044-192-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/5092-199-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads