a3ba88a9e41a93131f35d2e75cb82db9af6f753ca842334a000a535c361e10b1

Analysis

max time kernel
105s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f868933eee4567e8dc919cf116251c60N.exe
Size

94KB
MD5

f868933eee4567e8dc919cf116251c60
SHA1

304f6186efa4b1592d0624117bd860a151d969b4
SHA256

a3ba88a9e41a93131f35d2e75cb82db9af6f753ca842334a000a535c361e10b1
SHA512

00899b704bea2cc50fc9d477c9ba7a91d7231ecfea7d55cc513b43ea9093b99ac660f401017fe893e7c03b2d0417a634f9aa8f34335f3daec4f09d223d5b5661
SSDEEP

1536:CQR8WkRWr4L/FTTF6QPFaBuL2LHPMQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:J/e/FvFEhHPMQH2qC7ZQOlzSLUK64

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceckcp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcjlcn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Acnlgp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Andqdh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anfmjhmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe

Executes dropped EXE 64 IoCs

pid	Process
428	Aclpap32.exe
1184	Agglboim.exe
1144	Ajfhnjhq.exe
2308	Amddjegd.exe
3572	Aqppkd32.exe
1504	Acnlgp32.exe
4524	Agjhgngj.exe
4508	Ajhddjfn.exe
4720	Andqdh32.exe
2084	Amgapeea.exe
2824	Aabmqd32.exe
1620	Aeniabfd.exe
1748	Acqimo32.exe
4828	Aglemn32.exe
2484	Afoeiklb.exe
4380	Ajkaii32.exe
4332	Anfmjhmd.exe
4944	Aminee32.exe
8	Aepefb32.exe
2576	Accfbokl.exe
4564	Bfabnjjp.exe
1168	Bjmnoi32.exe
1988	Bmkjkd32.exe
4400	Bagflcje.exe
4120	Bebblb32.exe
4092	Bcebhoii.exe
636	Bfdodjhm.exe
3028	Bjokdipf.exe
436	Bmngqdpj.exe
4204	Baicac32.exe
1068	Beeoaapl.exe
4000	Bchomn32.exe
5032	Bgcknmop.exe
4292	Bjagjhnc.exe
5072	Bnmcjg32.exe
4884	Bmpcfdmg.exe
2024	Beglgani.exe
2776	Bcjlcn32.exe
2932	Bgehcmmm.exe
1340	Bjddphlq.exe
2464	Bnpppgdj.exe
3736	Bmbplc32.exe
4896	Banllbdn.exe
4480	Bclhhnca.exe
4788	Bhhdil32.exe
4500	Belebq32.exe
4492	Cfmajipb.exe
3988	Cndikf32.exe
388	Cenahpha.exe
3288	Chmndlge.exe
1444	Cjkjpgfi.exe
3008	Caebma32.exe
4596	Cdcoim32.exe
4064	Chokikeb.exe
2832	Cnicfe32.exe
3584	Ceckcp32.exe
1560	Cfdhkhjj.exe
4392	Cajlhqjp.exe
3588	Cjbpaf32.exe
536	Calhnpgn.exe
3448	Dhfajjoj.exe
3868	Dopigd32.exe
4436	Djgjlelk.exe
4792	Ddonekbl.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Agglboim.exe	Aclpap32.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aepefb32.exe
File created	C:\Windows\SysWOW64\Ebdijfii.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bebblb32.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Aqppkd32.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bjokdipf.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bmpcfdmg.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Amgapeea.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Mkijij32.dll	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Mgbpghdn.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Ffcnippo.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bagflcje.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Dfpgffpm.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bkjpmk32.dll	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Dopigd32.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Aclpap32.exe	f868933eee4567e8dc919cf116251c60N.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Ajhddjfn.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Imbajm32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Ceckcp32.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Ajhddjfn.exe	Agjhgngj.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Bagflcje.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Cdlgno32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Ddonekbl.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bnpppgdj.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	2928	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amddjegd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f868933eee4567e8dc919cf116251c60N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anfmjhmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bneljh32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imbajm32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjelcfha.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdjdl32.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbabpnmn.dll"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgbpghdn.dll"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlgno32.dll"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dopigd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajfhnjhq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Anfmjhmd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbejge32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Belebq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	f868933eee4567e8dc919cf116251c60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfgeigq.dll"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dhocqigp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aeniabfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljbncc32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 428	712	f868933eee4567e8dc919cf116251c60N.exe	83
PID 712 wrote to memory of 428	712	f868933eee4567e8dc919cf116251c60N.exe	83
PID 712 wrote to memory of 428	712	f868933eee4567e8dc919cf116251c60N.exe	83
PID 428 wrote to memory of 1184	428	Aclpap32.exe	84
PID 428 wrote to memory of 1184	428	Aclpap32.exe	84
PID 428 wrote to memory of 1184	428	Aclpap32.exe	84
PID 1184 wrote to memory of 1144	1184	Agglboim.exe	85
PID 1184 wrote to memory of 1144	1184	Agglboim.exe	85
PID 1184 wrote to memory of 1144	1184	Agglboim.exe	85
PID 1144 wrote to memory of 2308	1144	Ajfhnjhq.exe	86
PID 1144 wrote to memory of 2308	1144	Ajfhnjhq.exe	86
PID 1144 wrote to memory of 2308	1144	Ajfhnjhq.exe	86
PID 2308 wrote to memory of 3572	2308	Amddjegd.exe	87
PID 2308 wrote to memory of 3572	2308	Amddjegd.exe	87
PID 2308 wrote to memory of 3572	2308	Amddjegd.exe	87
PID 3572 wrote to memory of 1504	3572	Aqppkd32.exe	88
PID 3572 wrote to memory of 1504	3572	Aqppkd32.exe	88
PID 3572 wrote to memory of 1504	3572	Aqppkd32.exe	88
PID 1504 wrote to memory of 4524	1504	Acnlgp32.exe	89
PID 1504 wrote to memory of 4524	1504	Acnlgp32.exe	89
PID 1504 wrote to memory of 4524	1504	Acnlgp32.exe	89
PID 4524 wrote to memory of 4508	4524	Agjhgngj.exe	90
PID 4524 wrote to memory of 4508	4524	Agjhgngj.exe	90
PID 4524 wrote to memory of 4508	4524	Agjhgngj.exe	90
PID 4508 wrote to memory of 4720	4508	Ajhddjfn.exe	91
PID 4508 wrote to memory of 4720	4508	Ajhddjfn.exe	91
PID 4508 wrote to memory of 4720	4508	Ajhddjfn.exe	91
PID 4720 wrote to memory of 2084	4720	Andqdh32.exe	92
PID 4720 wrote to memory of 2084	4720	Andqdh32.exe	92
PID 4720 wrote to memory of 2084	4720	Andqdh32.exe	92
PID 2084 wrote to memory of 2824	2084	Amgapeea.exe	93
PID 2084 wrote to memory of 2824	2084	Amgapeea.exe	93
PID 2084 wrote to memory of 2824	2084	Amgapeea.exe	93
PID 2824 wrote to memory of 1620	2824	Aabmqd32.exe	94
PID 2824 wrote to memory of 1620	2824	Aabmqd32.exe	94
PID 2824 wrote to memory of 1620	2824	Aabmqd32.exe	94
PID 1620 wrote to memory of 1748	1620	Aeniabfd.exe	95
PID 1620 wrote to memory of 1748	1620	Aeniabfd.exe	95
PID 1620 wrote to memory of 1748	1620	Aeniabfd.exe	95
PID 1748 wrote to memory of 4828	1748	Acqimo32.exe	96
PID 1748 wrote to memory of 4828	1748	Acqimo32.exe	96
PID 1748 wrote to memory of 4828	1748	Acqimo32.exe	96
PID 4828 wrote to memory of 2484	4828	Aglemn32.exe	97
PID 4828 wrote to memory of 2484	4828	Aglemn32.exe	97
PID 4828 wrote to memory of 2484	4828	Aglemn32.exe	97
PID 2484 wrote to memory of 4380	2484	Afoeiklb.exe	98
PID 2484 wrote to memory of 4380	2484	Afoeiklb.exe	98
PID 2484 wrote to memory of 4380	2484	Afoeiklb.exe	98
PID 4380 wrote to memory of 4332	4380	Ajkaii32.exe	99
PID 4380 wrote to memory of 4332	4380	Ajkaii32.exe	99
PID 4380 wrote to memory of 4332	4380	Ajkaii32.exe	99
PID 4332 wrote to memory of 4944	4332	Anfmjhmd.exe	100
PID 4332 wrote to memory of 4944	4332	Anfmjhmd.exe	100
PID 4332 wrote to memory of 4944	4332	Anfmjhmd.exe	100
PID 4944 wrote to memory of 8	4944	Aminee32.exe	101
PID 4944 wrote to memory of 8	4944	Aminee32.exe	101
PID 4944 wrote to memory of 8	4944	Aminee32.exe	101
PID 8 wrote to memory of 2576	8	Aepefb32.exe	102
PID 8 wrote to memory of 2576	8	Aepefb32.exe	102
PID 8 wrote to memory of 2576	8	Aepefb32.exe	102
PID 2576 wrote to memory of 4564	2576	Accfbokl.exe	103
PID 2576 wrote to memory of 4564	2576	Accfbokl.exe	103
PID 2576 wrote to memory of 4564	2576	Accfbokl.exe	103
PID 4564 wrote to memory of 1168	4564	Bfabnjjp.exe	104

C:\Users\Admin\AppData\Local\Temp\f868933eee4567e8dc919cf116251c60N.exe
"C:\Users\Admin\AppData\Local\Temp\f868933eee4567e8dc919cf116251c60N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:712
- C:\Windows\SysWOW64\Aclpap32.exe
  C:\Windows\system32\Aclpap32.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\SysWOW64\Agglboim.exe
    C:\Windows\system32\Agglboim.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\SysWOW64\Ajfhnjhq.exe
      C:\Windows\system32\Ajfhnjhq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3572
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4380
        
        C:\Windows\SysWOW64\Anfmjhmd.exe
        
        C:\Windows\system32\Anfmjhmd.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4944
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1168
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4092
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:636
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4000
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\Windows\SysWOW64\Bmpcfdmg.exe
        
        C:\Windows\system32\Bmpcfdmg.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2024
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2776
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2932
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2464
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3736
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4896
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4480
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3988
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3288
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3008
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3448
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4012
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4776
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 396
        74⤵
        Program crash
        
        PID:2908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2928 -ip 2928
1⤵
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
94KB

MD5
e715c13318260896dcfb7031f9b1331e

SHA1
4ac00f844217b173c69572a745cd3a874fd5580e

SHA256
b0be9213df3ca3f42872181d461225471ea815129dd108ce0a01c3c8bd633914

SHA512
6416859da9f6785e65f44c0beaa3d4064c51b9f555de6fb25e74b487cd56c2fa1fef33244443a28bf4ca1b15137abe15cf76744c32fd54aa1906d464a3bd9b69

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
94KB

MD5
4f5a3ceda605795e27a77fcf51a8be60

SHA1
ab7ba79579aca774c3d45f6c9626f0c62f4fc3ae

SHA256
f05cefe50aae64a61e4b04846dccffc6d4483d054ea90a44a3adf0d22ea8668c

SHA512
ad1eb6532f34e3f86316a0df803f4f7bb67e06b1a2713022c60880e63d9edce2f10de260fb14275fa61a8c61a9366175d1c55deeb1eeea5dbd48ab3b71cb3fde

Download Submit
C:\Windows\SysWOW64\Aclpap32.exe

Filesize
94KB

MD5
50a484c7be906406d89918f7f0e9afd3

SHA1
84be637dd0b3501b9120ff08688626f4db492171

SHA256
2e395324238002541f708cd9a2f9f9494add90a194277eb4a0ff5f709f485457

SHA512
4598b519bb39235f130367ef491d35182cb8f216ead355fa0cd7cf2167373eb49b2502078f2be8cc989921d585bba7f3677e7f8f4fd7f0be5ec6d95e54cb9dbf

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
94KB

MD5
1ab2c8f81905b53af437f118417108f9

SHA1
3a70f6e19b7067ef87e9c4a5a10e6bcd23132726

SHA256
3ed7d485865d09e07c4a39ff1cac362460c3a7b0457c5b51bc0ec9adafe37562

SHA512
cccf089f9f2950b5634fe48e8345c8360bb16742cfdcc2d0095306c79c10e0e6e09d64db3b2e46a1b98aa1f8b3152cc56078c67b4147cc3f9843ff254adbbeee

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
94KB

MD5
635f70d5f6be77bedbf743bb0baab708

SHA1
37240ce3744d5dbbf13bdff61db902a6fc1bdc3c

SHA256
1720b8a01d5d3882fa0a783750d024eec9b8596c96caaef3e77a652226cf1e01

SHA512
ba21dd4921cae41f4c928587948fde3fc3d9f34f5293da2fe934d571d9eaa928838a8d306ffbf284a3768cd3b3810f305ebc5aa90b39406ba18ae6a34f0d42ef

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
94KB

MD5
7730bff6e803d06893c456ef2d171989

SHA1
951a83c203232de77b422fd20fae945326b5cd66

SHA256
e5cd2e8ce87dd1afa886f612a30176b0c556f051a6e925ab4c793915e9642c95

SHA512
63227b1a4307d7c849b2559f7da53fe92b2f3e68b19c4bbe28174e03581a2024a050ccf14a76b827151fd4e4a6bdfab3d084a2e0da306817755b54e3342585ce

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
94KB

MD5
7752486326865f464fb9abe0afd9f0d7

SHA1
e8932ac5781f7fea501b0cea61032bea89a61195

SHA256
4d4eb38cd309644adbcf7c58fd39cf612df6974c62e9e67c8e8a48bb7ea6fd34

SHA512
8bc8940216301df4682b590d69015b1f8cab01337e170bfa0a9b2c15877e2918dd039e07d2c84fdecc9f6ae325c9f0380451e91a42a298b739396dde22177b0f

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
94KB

MD5
f26ef50c91f2edb9da121eb6e820e503

SHA1
6da1d9c3ab118d59f157b5aace0d7c54374bb255

SHA256
adcb4dc96d6b41d03725246a2bfe282deaa86a0e54abb35433d88518e0387437

SHA512
d30370503b8dea7294b7b9e9deafa94b837d4ab5c0ac6cd742e83fb17597f340199503534fadb985b256bb3ce7c901f5667e0a06f6a9cbf6689f36184ef53958

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
94KB

MD5
dfa0a37c425355503dae828a61cd2bba

SHA1
bca0885c09d8ed5426639da31023cb9a36ada471

SHA256
ee969abbe69116a5e5f900531b3109ddf74962a5f1b05546e0353c4125ab3697

SHA512
c0be6f0814b7fef72c1db6e36c5b5707e2209824fc5551a50869680135c5057a02404b7932e4b64b4906ae3f3f0ade1291ab90d1842e3cf135ba3a7d43cd22e0

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
94KB

MD5
ada8fb7b2560731f4256c6bce9cf02f9

SHA1
853ffb720b873c5b834f90e7c2241e279dc40f86

SHA256
92649d72d4199525a8a9534ef3aab9a2ce880f892ce87863d8e24279a00c1e21

SHA512
b3f25e826be17f9e3f0ad7b7dde6fe4cad7d13bff6b254e1471519294c5d0819edd9bb0bed73795c7dc7524a5e7b4998476a8e6550d39f58086e9193733ea897

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
94KB

MD5
5fc09360912d5679af4affd48b03dd94

SHA1
e57298baeb078f3af05195059b491e7de4163483

SHA256
d09b703684e636647309f3a5a45617be35389f89b696ec8c6a5fe7154259ca89

SHA512
1f2ac9f51baafa43cba863a8c5a1e6caa3f7ce9a70bbdbfc1bb189a336cf1a9e67b583ff0f8408bfc07913fafb7101582c44be06a3c4a9135da8dd4e740b1409

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
94KB

MD5
b0584b358b0862628a7db83d87ccc2f2

SHA1
fe587b1342a254c597d678802cf5618fd654c2d6

SHA256
69865e38e9ec70fad74d8a7abd707af18c7617bf80d3406181b65b779d87e8a4

SHA512
a4f48beaab09c379501d25b61b20fec872d799650308ebf7e42402c852d4bf6fc7bdd3a1b1e7570053370a2d64057d6ebb82bf753b2e82a69b08be4a0a491600

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
94KB

MD5
d6575a7f72a778e2f9ecc906d4f11b6a

SHA1
c27efad2fb5410b450565f8e1c88c01c52dd1ad3

SHA256
f2781d98f5dd1a641b411be34941aa56cadd38f1a868c29171bed31e1d8de3a8

SHA512
a76f81fcf59a356ea977eac277eb5778a01e671c25ff3beee22af101199781e4bd60163985f1a9445e9502bff166acb480ff3998c2988aadd3a10e77a9239556

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
94KB

MD5
9a10ca0a9a19a6250ba0fbd3fa6493f5

SHA1
6d837a9af141d9cf095a0d86784e09928dad5d74

SHA256
c56164f4dee7a9be821aa51fe495edeee39ac1de56e5e9145faa11ae63ff7852

SHA512
9a1b7b9c41d3e38297994325c79a88217de1274d951565f4b84d2073bc6f2e773146dde9458dca8761b05030776f98e1f4a249a9935afccb2ee37de31d09574b

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
94KB

MD5
5b87eaf2e6bde3b73798410f930a8260

SHA1
2a3c7fb0b1d7521c47edb5bc8511caf744854fb4

SHA256
bfe6b703d27181d87463af673fc4b3f25c563c47c1fb051c5ff47eb53ee85236

SHA512
78b7c969b4d54aaee2741142f8757d4351b6e04d1d3c20e8ac409bc2a4ecf9335c2a9112d6ff924b1d38b00dc1b707ddb55cf7dfe26e7994e05647f695cb1da1

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
94KB

MD5
5bcff31189cf7e5c8fe123cf8f597209

SHA1
db4061031686f675065f0838e1c222488cd18ca2

SHA256
8de80d50f18bb049126da4fbf805d5c88c58bafc9661c97d7947a7d2e9e1e9b9

SHA512
4c1e245c864373172f06684b976a1a027da9dd11699f573b8f1d64dbab250fb69df524833bbfe4a5e0ca3253f43526835c6e469790bf2c33a742f7307282c26d

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
94KB

MD5
9382f766b166ad97074e236ae61b6dd9

SHA1
faaea28138ff88bb71bbcaade34af12168f102b9

SHA256
28bd554cb0352ebe0c4ead93a1d62c28d093aa8b71522bbca401f5a143fa5418

SHA512
609b482692a1abbbb679c8c483c41d6d2d682eb83a6cde6ca6eb34bfac3483c097f05a88dd0722a5d8878133db1828af9431cba933602b1fb5f064533dd1ddff

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
94KB

MD5
c44a05db2d1e942f6fff6f4d57dddf5d

SHA1
d60131a776cfee4c6d832d4dc14b9246dcf47939

SHA256
ceae5918a7e8563f2e9bab1cf6eb98f93686f42ce5777a7c7c54327b39d2c63c

SHA512
95258c2f87457f509fb176e3396cadc6874295baec6dc5307ef3d9a100739fe03fcf791820b7982352f5ffe593c1ede33ce691bad1c23970011eecfa6de082e2

Download Submit
C:\Windows\SysWOW64\Anfmjhmd.exe

Filesize
94KB

MD5
31dfb01e6f22ad77b088e1472fe163a3

SHA1
c953f2d773dcd6190c79d34d60476f6a3be3b03b

SHA256
6272496f1843d520c0aa3632d4968b2a8349670b8a3afeb5b69d5b03d23fad6e

SHA512
69a678b72b23754d17671a6f9bd408389749136a058c56740a21ef8c207ae6818da9df241ed62f510d62e7e94d563e662fcea894aa643a746f7dc3dce0dac9d1

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
94KB

MD5
825b231791610b0868abb1e741b1cbc2

SHA1
6551f9b20153f8289b7eb803c64ab58ba282db28

SHA256
b3a6071dff0575468b25e488a36a49386591baea55ac0da3f85acdd6b6e5a9a4

SHA512
8f0ce22ca5d68579a62afd7959c5b05cdbae1eacd8398633059e2c76a9a56a4643b25d2b293dc6710b94040228def16636854afeb655964232dcc26a8998096f

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
94KB

MD5
7d7324c7b5fcb36a76b3e22211ac003a

SHA1
8727c98bc85d0acade77640f75a658bda0cb3b11

SHA256
70661ba6228163a08d13b186e9c13d00758feac4973bf74760189133840d782d

SHA512
802475b6274e14a206a058825b86bfe2fb8cd93e784d56e3596f35a5303e98ec71b26aeadf640e7d2a1acd5b729a3660b345047e64a0de9c1ad52b50cc24b26c

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
94KB

MD5
6c80c6d824cd69aa6a9a31dcae45ed5c

SHA1
5a8325024332f2ad96f7ba437b87762f1b7a8abe

SHA256
adff4e3ce5bbec0fc357068313d14f0332a717ed6e533ca4f838f1f68ebe903d

SHA512
8dfd9413aee57e8dea7d50a68a088d270b132084b4f78b0516df65bb37ff65d9517c90b59dc10871dd90203520fc117d574b6c9c7757afbf03e7a21855afe45c

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
94KB

MD5
6ed09341e928e47ec0e2cda3b9fb362b

SHA1
9dc3737aebcb2405084c815c90e4b4e918f4cee5

SHA256
229fa406211d232f10d5fb3b0fb2a3fda45f9452cb6427b2f8fef2cbcf6cf049

SHA512
2e1783678bb1849bb6e7f07c050e7f20967e3dfb31c813dc72955163e0d2a71859e07c37d098bd484d525b3673c391898224d229c3bbf9970475586593dcc56b

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
94KB

MD5
49cae8645477b9878e738deb71a7f474

SHA1
1b48138be074840737565579c1ea0baebd5c35e7

SHA256
f56c5246649ccf55ab13c21dc97d5bf6f21ce38636b84e382b2a7bd416db3b11

SHA512
d4f9b42a0ae5339b7f16d35cd44f4447f203bfe85442c34e921ba05413402bef4ce36f0d7b4366bd41f3ff78701e2e243a8735d1d3ab838370ceb1b6ae3f83f2

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
94KB

MD5
54e38e3472a2573d803a3309f957f82d

SHA1
e21ec606c6706aab7ae1cca4c1cd97679d3d9732

SHA256
165b4b531cc292bc04633c019fcb158150fd3d8149239372bed80dff261dc849

SHA512
39d4ffc38bd90a73348ed33a2f43e792a14b0a8981dadae2050da36ba7e1856ddcb134376a6cf63712e4e24bb5e315b96d3c245ab6629a9dff9b42145b121bdf

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
94KB

MD5
ddc1915a1b8c30796d3e79bc7180f046

SHA1
78eb6350d68473c2d6b403e11df66edcccee7301

SHA256
d0b328d11c4e6c8f617d5b750a5c94fe4a77706f4a28358b38415d6e7f72b0cb

SHA512
9299b35cb775b9b1dec1a4b9f5719815a72f6335cd72b9dd532e8015198bd6e0dc27a7fbe4da3296798d127666a35542d44cdc5e3e7ee3218793f0f9f3c5a9e3

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
94KB

MD5
ceeacc7c1cf099e75fcaa91953d64616

SHA1
91eb8c8b7c8353fb30ed91203c805e36a97dd151

SHA256
03eb1f00cac02cd040e3f94fb91e7eccf2409604b825ab0838f2ce0adfc5bbcd

SHA512
7ba5b01ee9925981fa6bd2dea6c9052d70e929961063b07196f947ce43c56a063d64b5375b27b4dfdb5c1791f28f7b1b08a39504ee601f8be51de09e14d0f3c3

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
94KB

MD5
b022d51f542cef7f7f1de40a6f786a29

SHA1
0ebaf9cf5a860d99d11ed4169eccce1ce2078d3c

SHA256
33bc6902d8a11ca9f97618d05890e7ce094bd34a0b28994f8eb262ffb8e40d41

SHA512
741203c9761433b67a87ecbdc8ae9f48370b291beaade642104da9c0e0ab1fcd01956b00d2502b359b4d231591c68f99dc964ec541a366619ab9f65e71112104

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
94KB

MD5
6140d860145c95412d8e68ef598da254

SHA1
90f8a3e608619f3d76342e37fc2185fefe8b8988

SHA256
364e4ca4e5364ee89772c40f88c570013246af6d65d8f7a05c3d03e41bd2e74d

SHA512
f43dd1a3a841e64910f7e0a7637a40546819f9b2753fcfbc73b6e6c503ba52e7e38b8ceabef58e40fe35c086c2ec646a603d5e6b7bfac41e148313a6845f6f90

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
94KB

MD5
270fe12878740f56befe15e20e056d08

SHA1
242147031b4c90597cb5bb979d5a0eb86fca5153

SHA256
b0dcfd2b746902c038aac69720e3915e1778daba99f71d4ef50c3e3a4c98f63b

SHA512
7edcef5ef1dda50109f42c85ebcf56f1f62cebbdb938845a6064ba1fb872c62611e995d72edd54fb87c98207a925d5424ae9a7f46a21f4c504b1c3bb2b694d64

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
94KB

MD5
7f53ffd447722a75fba9b453784b542a

SHA1
89538e394dd9ad1593c275cdcd4b679aca34d436

SHA256
b21d41df9e2c1629795992d84ccdd569fd1ea53ff368e410088d4cf9498d6338

SHA512
649a2e82bc94bd660a5129a8d7d71a569aecba819cda45a989eb3d6a5ed9124d9dc44accbf40ee01f118c5d9aef692bb7717ec8e1a43128f2e7747524ad7e76e

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
94KB

MD5
4ebcbdbcc6fef3c7e3c92e4d8f893745

SHA1
95143aea7f01834341ad73299792362d62a02b13

SHA256
f2ca57295dd133e77ee1e316bd02a4f14940cfccd4a74b82727d63f40a13f179

SHA512
4757d6cda33581e6113c99c0638f29312591dfee13648ef0b86b059f9bac8965e7e5bc045178a056ef210c74d5036a42883d8735a10bd5d143fae187c0c0c1f4

Download Submit
memory/8-154-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/8-244-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/388-367-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/388-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-166-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/428-8-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/436-246-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-508-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/636-229-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-148-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/712-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/712-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/900-488-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1064-481-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1068-261-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-509-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-184-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-28-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1168-186-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-19-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1184-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1340-317-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1352-495-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-379-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1444-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-56-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1504-195-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1560-487-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-141-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1748-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1988-196-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2024-300-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-136-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-193-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2308-36-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2464-323-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2484-145-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2576-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2776-306-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2824-137-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-473-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2832-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2932-311-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-385-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3008-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3028-237-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-373-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3288-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3448-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3572-45-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-480-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-411-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-501-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3588-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3736-330-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3868-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-361-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3988-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4000-269-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4012-502-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-397-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4064-466-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4092-221-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-212-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4204-254-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4292-281-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4332-147-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4380-146-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-425-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4392-494-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4400-204-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4480-342-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-355-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4492-417-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-410-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-349-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-132-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-219-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4524-59-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4564-177-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4596-391-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4720-150-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-343-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4788-403-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4792-467-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4828-144-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4884-294-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4896-335-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4940-474-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4944-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5032-275-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5072-288-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads