20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740

Analysis

max time kernel
137s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
Size

95KB
MD5

99c1b9226a69d235b8f82065436d9916
SHA1

d7e2dea7cb758b84411673bf218295064267cfbf
SHA256

20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740
SHA512

209097e30219b0de915e2d2f1e6322d6e0d8344fe7cad46b0fae8295ea49ea97d13cbf230de81fb6a3a3676c9537f1c61c22e2c560edaf997efd564c1769c427
SSDEEP

1536:jyf18tZ0HPsZxPh9qP4UsLL+iDd1l7F1vROM6bOLXi8PmCofGV:Wf1xHPs/HqP4UihL7zvRDrLXfzoeV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkifae32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agjhgngj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabmqd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeklkchg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daqbip32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bganhm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfdhkhjj.exe

Executes dropped EXE 61 IoCs

pid	Process
4532	Aeiofcji.exe
536	Afjlnk32.exe
768	Ajfhnjhq.exe
2720	Aeklkchg.exe
3116	Agjhgngj.exe
2500	Ajhddjfn.exe
4636	Andqdh32.exe
4740	Aabmqd32.exe
3584	Aeniabfd.exe
2788	Ajkaii32.exe
1620	Aminee32.exe
3380	Aepefb32.exe
3548	Bfabnjjp.exe
1920	Bmkjkd32.exe
3692	Bebblb32.exe
3396	Bganhm32.exe
3936	Bfdodjhm.exe
4764	Bmngqdpj.exe
4124	Bgcknmop.exe
1060	Bnmcjg32.exe
1740	Beglgani.exe
2272	Bgehcmmm.exe
2412	Bmbplc32.exe
3140	Bclhhnca.exe
4436	Bnbmefbg.exe
2448	Belebq32.exe
4544	Cfmajipb.exe
4528	Cndikf32.exe
3660	Cenahpha.exe
1144	Cfpnph32.exe
1012	Cnffqf32.exe
4568	Cmiflbel.exe
3260	Ceqnmpfo.exe
4736	Cfbkeh32.exe
2616	Cmlcbbcj.exe
2084	Cagobalc.exe
3456	Cdfkolkf.exe
4416	Cfdhkhjj.exe
3404	Cnkplejl.exe
1356	Cajlhqjp.exe
4308	Chcddk32.exe
3892	Cjbpaf32.exe
1448	Cmqmma32.exe
1348	Cegdnopg.exe
4808	Dhfajjoj.exe
468	Dfiafg32.exe
4500	Danecp32.exe
2996	Ddmaok32.exe
5112	Dfknkg32.exe
4444	Dobfld32.exe
2880	Daqbip32.exe
1428	Dhkjej32.exe
1000	Dkifae32.exe
4508	Daconoae.exe
2856	Dhmgki32.exe
2212	Dkkcge32.exe
3832	Dmjocp32.exe
4984	Deagdn32.exe
2820	Dhocqigp.exe
1072	Dknpmdfc.exe
4120	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Danecp32.exe	Dfiafg32.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Eokchkmi.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Aabmqd32.exe	Andqdh32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Beglgani.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Bbloam32.dll	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ickfifmb.dll	Afjlnk32.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Chcddk32.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Daqbip32.exe	Dobfld32.exe
File created	C:\Windows\SysWOW64\Pdheac32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Andqdh32.exe	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Kngpec32.dll	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Dmjocp32.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Hjlena32.dll	Aabmqd32.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Cogflbdn.dll	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cnffqf32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3032	4120	WerFault.exe	146

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bganhm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeklkchg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkifae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afjlnk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agjhgngj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffcnippo.dll"	Aeklkchg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjkjk32.dll"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echegpbb.dll"	Ajhddjfn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bganhm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcnha32.dll"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cfmajipb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oammoc32.dll"	Dkifae32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Agjhgngj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopkop32.dll"	Bebblb32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 4532	1220	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe	83
PID 1220 wrote to memory of 4532	1220	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe	83
PID 1220 wrote to memory of 4532	1220	20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe	83
PID 4532 wrote to memory of 536	4532	Aeiofcji.exe	84
PID 4532 wrote to memory of 536	4532	Aeiofcji.exe	84
PID 4532 wrote to memory of 536	4532	Aeiofcji.exe	84
PID 536 wrote to memory of 768	536	Afjlnk32.exe	85
PID 536 wrote to memory of 768	536	Afjlnk32.exe	85
PID 536 wrote to memory of 768	536	Afjlnk32.exe	85
PID 768 wrote to memory of 2720	768	Ajfhnjhq.exe	86
PID 768 wrote to memory of 2720	768	Ajfhnjhq.exe	86
PID 768 wrote to memory of 2720	768	Ajfhnjhq.exe	86
PID 2720 wrote to memory of 3116	2720	Aeklkchg.exe	87
PID 2720 wrote to memory of 3116	2720	Aeklkchg.exe	87
PID 2720 wrote to memory of 3116	2720	Aeklkchg.exe	87
PID 3116 wrote to memory of 2500	3116	Agjhgngj.exe	88
PID 3116 wrote to memory of 2500	3116	Agjhgngj.exe	88
PID 3116 wrote to memory of 2500	3116	Agjhgngj.exe	88
PID 2500 wrote to memory of 4636	2500	Ajhddjfn.exe	89
PID 2500 wrote to memory of 4636	2500	Ajhddjfn.exe	89
PID 2500 wrote to memory of 4636	2500	Ajhddjfn.exe	89
PID 4636 wrote to memory of 4740	4636	Andqdh32.exe	90
PID 4636 wrote to memory of 4740	4636	Andqdh32.exe	90
PID 4636 wrote to memory of 4740	4636	Andqdh32.exe	90
PID 4740 wrote to memory of 3584	4740	Aabmqd32.exe	91
PID 4740 wrote to memory of 3584	4740	Aabmqd32.exe	91
PID 4740 wrote to memory of 3584	4740	Aabmqd32.exe	91
PID 3584 wrote to memory of 2788	3584	Aeniabfd.exe	92
PID 3584 wrote to memory of 2788	3584	Aeniabfd.exe	92
PID 3584 wrote to memory of 2788	3584	Aeniabfd.exe	92
PID 2788 wrote to memory of 1620	2788	Ajkaii32.exe	93
PID 2788 wrote to memory of 1620	2788	Ajkaii32.exe	93
PID 2788 wrote to memory of 1620	2788	Ajkaii32.exe	93
PID 1620 wrote to memory of 3380	1620	Aminee32.exe	94
PID 1620 wrote to memory of 3380	1620	Aminee32.exe	94
PID 1620 wrote to memory of 3380	1620	Aminee32.exe	94
PID 3380 wrote to memory of 3548	3380	Aepefb32.exe	95
PID 3380 wrote to memory of 3548	3380	Aepefb32.exe	95
PID 3380 wrote to memory of 3548	3380	Aepefb32.exe	95
PID 3548 wrote to memory of 1920	3548	Bfabnjjp.exe	96
PID 3548 wrote to memory of 1920	3548	Bfabnjjp.exe	96
PID 3548 wrote to memory of 1920	3548	Bfabnjjp.exe	96
PID 1920 wrote to memory of 3692	1920	Bmkjkd32.exe	97
PID 1920 wrote to memory of 3692	1920	Bmkjkd32.exe	97
PID 1920 wrote to memory of 3692	1920	Bmkjkd32.exe	97
PID 3692 wrote to memory of 3396	3692	Bebblb32.exe	98
PID 3692 wrote to memory of 3396	3692	Bebblb32.exe	98
PID 3692 wrote to memory of 3396	3692	Bebblb32.exe	98
PID 3396 wrote to memory of 3936	3396	Bganhm32.exe	99
PID 3396 wrote to memory of 3936	3396	Bganhm32.exe	99
PID 3396 wrote to memory of 3936	3396	Bganhm32.exe	99
PID 3936 wrote to memory of 4764	3936	Bfdodjhm.exe	100
PID 3936 wrote to memory of 4764	3936	Bfdodjhm.exe	100
PID 3936 wrote to memory of 4764	3936	Bfdodjhm.exe	100
PID 4764 wrote to memory of 4124	4764	Bmngqdpj.exe	101
PID 4764 wrote to memory of 4124	4764	Bmngqdpj.exe	101
PID 4764 wrote to memory of 4124	4764	Bmngqdpj.exe	101
PID 4124 wrote to memory of 1060	4124	Bgcknmop.exe	102
PID 4124 wrote to memory of 1060	4124	Bgcknmop.exe	102
PID 4124 wrote to memory of 1060	4124	Bgcknmop.exe	102
PID 1060 wrote to memory of 1740	1060	Bnmcjg32.exe	104
PID 1060 wrote to memory of 1740	1060	Bnmcjg32.exe	104
PID 1060 wrote to memory of 1740	1060	Bnmcjg32.exe	104
PID 1740 wrote to memory of 2272	1740	Beglgani.exe	105

C:\Users\Admin\AppData\Local\Temp\20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe
"C:\Users\Admin\AppData\Local\Temp\20e788e74fb19c0f48ce6a9ef370568d6ccdc119761d45820073d7952f3fa740.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\Aeiofcji.exe
  C:\Windows\system32\Aeiofcji.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\Afjlnk32.exe
    C:\Windows\system32\Afjlnk32.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\SysWOW64\Ajfhnjhq.exe
      C:\Windows\system32\Ajfhnjhq.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:768
    - - C:\Windows\SysWOW64\Aeklkchg.exe
        
        C:\Windows\system32\Aeklkchg.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\SysWOW64\Agjhgngj.exe
        
        C:\Windows\system32\Agjhgngj.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\Bganhm32.exe
        
        C:\Windows\system32\Bganhm32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1060
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2272
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2412
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1144
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4736
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2084
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4416
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1448
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1348
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4808
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2856
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2212
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3832
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4984
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        60⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2820
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 408
        63⤵
        Program crash
        
        PID:3032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4120 -ip 4120
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
95KB

MD5
03ab06cefb10f8d06a3943cb75167f7c

SHA1
a43d21099962b6b5330f00ee0a7e60d796e7adfd

SHA256
46f61558833c99dfcd8716d3445b5f76a8befe29438a5575ecbcf2fa017f06c4

SHA512
4b64b8efe054c7c3294e7c28353aa35022aad9445011fb5580531005891899416233d226ace10f4585ad3ef3137a5c62b8af529c4ee0ca2f54372181c60c9884

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
95KB

MD5
2590f35659a8807607333fd8b44e205c

SHA1
b127d8f5446e857feb2df1592d52efb87ad4c6f5

SHA256
60c417b29bc94cd12a2a283645e28a2b4fc2b0624015771053fefda7c7a4548a

SHA512
7b1b463ac4f151cfc0839a8923901a934cbf5a4fffe86eebeb71a916f19ed431739515b680dc3f1885eea6be346c09e4db6d9747a03f9b543257dfa2920dadc0

Download Submit
C:\Windows\SysWOW64\Aeklkchg.exe

Filesize
95KB

MD5
aefa0ba6ec047e6eae73faa606051e86

SHA1
cf181e087ef729623f5ea4818dcd5f6b80adf5ba

SHA256
14b6e0f74a49242e9430619f81c9ab78dd8296bfe54cc5017e56661cb55a74fa

SHA512
05554ef0a7477f03de0784550ad63a0a823e71fb1da98a3c30eb32f3cd54e9fa53c2c11f834d0be6db03272d8b958134a889ad11a65cdc3f94c4c471df39db6a

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
95KB

MD5
78110326332db2e469c35f3ece52a4ad

SHA1
47dea4aa9a66515a1d19fc25c08a50bdd9156576

SHA256
14f12c843f63ce58b5c3eb234de53de2e04ec62a6a787ad165615c1ef1bee9a5

SHA512
c8227c861271ed6e86e4b952951c7a41949768e5e8c7744598895266f9dbbb3339ec309d2d14e44626f95619aea94616324b14b8adcad016fd2d7e634a2f14c1

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
95KB

MD5
dde07d6628b2f21adb96facb5d735918

SHA1
f9b5d038c9d6a179a073889a8984db33b42a02c0

SHA256
d813a3c5c602bbe9a45f73bc74a3004936bbfd770960f0a5a5bd963ca69ccdd5

SHA512
bb3a9e7c84587165941eaf273aeb40e9434034e4b5f1fa7e1768f606b00685935c69c743cbeee913e306e1cd756317c8825e23726fd0ff181a831e77273a23d6

Download Submit
C:\Windows\SysWOW64\Afjlnk32.exe

Filesize
95KB

MD5
3318a2dbe9fbcdd58880db6874fae237

SHA1
3623638d5fb7c335988ef961e60d8129f5d09291

SHA256
8a4eea04511ef83ec95d45fd1b1c51b85bd9ac65873ed7e08cd831b8d0c89c67

SHA512
e74146f41027080f0267f01e8c3b1ecaff9f0f233f0e132ea5cbecd1fcf53dac65f41071302091eb0d1031c8bb5d6e9a3d8a09a56b139edee41c5d8af6ca7f69

Download Submit
C:\Windows\SysWOW64\Agjhgngj.exe

Filesize
95KB

MD5
5024ab9decd8780e4d5343b8649cc64e

SHA1
85c99e11fadec2138c3fee1bfe5d2a4df3b6c651

SHA256
9112124bb08752cef1f346394fb71c5bbba4a367ee06687fc63fd8fc6c319607

SHA512
83908527912f5d0467b0462289a0c5fec65c310f8a11e3c522448bf826711256aa05b17f9ab6427cb14d328c8b530ba35de9d3fd904c555ca8f23f7cba6218e6

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
95KB

MD5
7cd13afe8da00387f99d3c5650992acf

SHA1
b59b271ccd8332b505e03df3d965de1737e6dfed

SHA256
be6d8e6028e3f92d3ca3e2fd6bd3331aa86c920ead77f8d13bc778d6b34ee526

SHA512
f24ab4677b102696fdb3179b68218b040f62e80e110f2a64fd81193a991e03bf45fb975852d71d48ba211a518d229170481f197fb8887e9593116b9efe02aec5

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
95KB

MD5
9f9930e2539d430a9bf288312ef6c241

SHA1
c00f4ec83e0edbd2bfa7e3fc7ad47f41dad93586

SHA256
2aeb3dbb5ce0d15ad994ea827dd75a9f52f93c2d9bc5e996f3f87d84202eb96d

SHA512
b82921d4d6eadb1e4fa45a29cec8671a8d93b8ec37f7a8ab639c42845031bda21613196c897e8ce75024a3722c6b5da3aa7075d30bda035182ab8f3a1139cf92

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
95KB

MD5
e583cc10ed67b5b217cdfebd519d129c

SHA1
29efdd99ff7b675f35be2ec6e49f62e6587899c3

SHA256
45c01a371444664c8a88962e39c6c6bdd2dc6ca0fd76ea5c65ed6e0f341352cd

SHA512
c395ecc490f8dbff720422567b7f5bc345247cc301b5a3c9f4fb0d95991557fa892b9814a83d61c2bf17144db25a217413e8a24425c4f71c1d1767bbffcb78ad

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
95KB

MD5
b7532e6326e2f4118336297db80b4a6d

SHA1
3e4be201ed61b584452ba4863c276c3be427aaed

SHA256
f294063ac698e70cb9a828e5a25fe235992f19cae33b0c5ead2026329b33a890

SHA512
4aa2eb9ebe7d7ee1400f26969ed997ab74ba7d66fa256f352de0b097900179592134752ccf854d6a58b4e151a16285857f2393f73cb9212dd88426251a7bf3c5

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
95KB

MD5
d8098c1d5e4e45e2b7561d11053dc9e0

SHA1
6dc751b483ae2d517c59acdfd755be03083785ad

SHA256
c9ec8d929b3ce12f32a1367e7f7643962181f28a7efeafdd84a722f71e55c2de

SHA512
c1793ce73161b9a11ea8ff16a1271a44408fce3120f678af9c616c8b01d69c6e9cc0d5bafd1e7fbc3e17c0c8b8dd51916821b84dcccff70bc68a21482dfafde4

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
95KB

MD5
192ae5e815219d4de6e8e1cfbf01628a

SHA1
029c358fe7ae72cfbc290ccb77efb4a932344392

SHA256
0bada0c80d2ce10278a6603e0bab88db3750776e0fefe61c47db606524ab627c

SHA512
20acc894ded1bda3720ea719503b2321c70fc3ecd7c852f42b63ccb7608d43ca1e7dc7ce32bf4e428123950be58bfba903d473d952d7afffeabfda8cedf72192

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
95KB

MD5
96334c746c217172f609a665140fffe6

SHA1
b48dbe95ea44fe41ed3192d401efc89e8839c0eb

SHA256
5bb065997fa69bd4f529dce6ffd73854f9b0dfa8db2d08f5bd3cb0dfaaed8d6c

SHA512
1e35c6ad477fcb0ec2c3d4d354fbf21295a705d24c90e8987badf5757cf20ea4d957fe181ad6f811bbb256c84f3f18c14135d1bff64394855e71a7fa4fc068a5

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
95KB

MD5
deee9fba662721bf77d83b91e3769ff7

SHA1
3a9cd3f54ba290d6fa27d34a8476a5ae8bef068e

SHA256
b6f52e09895451f137cf850d0c4990093cd40858e8bcdd986d7d028e51ee6251

SHA512
f4045042ae59c5cabe1cd257b3e29c96c56d61c5d5adaa851929a6a6833e392f85075a5e10f12f02e9fbeae5321c7de70978de90492aae70a3ecbc740a19570b

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
95KB

MD5
e9bc24d7e387a6be42a9da526fa49594

SHA1
6d3599e4fad0ff07c275c062060b5d1f5565e5d6

SHA256
06166efa68656c144e549478311a2f58758e81d1f8d15cc67bf96750c0d6f430

SHA512
94f81cdf4e0c544740a7c311dd0abdea53a76719b88c634262c9be05f4ee4390d6a538e0306c16ea4c621fb43d62e1343be8c2e4501c51b6212edc4892a9b55f

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
95KB

MD5
91efbe89ef90925f0afe0db548da02c9

SHA1
5f0bddb5b5372bdba81d969c7374890c329b6661

SHA256
b70c955f6274bf409435fecba3bc31f6e091e6d21cce1ceec593ff4877406917

SHA512
1da1432f921b13a08744e6286d35984a875ef10a1337ad9e0ddcdcb9a44aceec09903a6f9257edc294b510e8bdd2b2a900ad3dffb961ea793124eeaa8a4bf6b1

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
95KB

MD5
1d586c14d8ed5c0e04884b4275116857

SHA1
e0f7556b799e17bf867fc92bd621977d43787b10

SHA256
f4dc9a4176b97ee0cdfb7acaceca39b6b5fe443fd0b0fbd7fdb2dbe11ce6e0ef

SHA512
5d78fea87463ca9c40b4fbbb41cce561b9ca8c6d74841643e4c587d91ef8f1318031429cc13ad8df9b092d6c1b80c419eba764cd45859eb08c5e9848f1d22168

Download Submit
C:\Windows\SysWOW64\Bganhm32.exe

Filesize
95KB

MD5
6c2c707993ee5cff10e17ea55ea652c4

SHA1
a1f9a57f71f82cf40833c44add41a5ec70f6a1a9

SHA256
4af1329708f62b9f4c5e307c30423a0eba0ff8eeb90d1a283050bb9e36e6527f

SHA512
d8ce7368d01e9fb60e6f3a43ebedd4f009c5217742562076fcdaf7e7295e272d128ded874a4d88c7d0fec5bd19bcf8a0db4d8cb3e590946ba1d444c8d0f58623

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
95KB

MD5
a9b65592b4493b1304d0651a64d64ec1

SHA1
f0dca996564bae9bc4a0b39394b2856585991004

SHA256
65724b2eb844a55272a47ab92129f9a25ca4c1975b737ecb8a827c17a379f349

SHA512
e5640e98c1023a791b073a0b5ae976a8c20f764521e1b8bb6924d6f08548c21529c97152f2a8075a8897313efa0edc03b7fa3af0cc29cfd20a4d27633c41520c

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
95KB

MD5
87ddf3ec549033c09b92226dc2de6386

SHA1
28a57b5efbc86550515a216656e5fe8e1664893b

SHA256
8b752989bbe9b186346233d51a20f333763634a6b73d64ba1576b29efa85a36f

SHA512
3bbed092723576f7465c33940dbc5db8d726053980d14bd7e0668895bde87ab93a5df6f9a21506927a4889d17355ad2ce6bcb4c4912a6f6f87d7b1a911438f3a

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
95KB

MD5
444fd186faadc479017da3202c334603

SHA1
f65bc304abdd80cf0ac06303faaaaa71af509b3c

SHA256
024a1564c82bcffc165a6288971eadab971fe45269c1abedf8b0f577f5ce3046

SHA512
6cc8129afe0d5fd14ac7f1813e7cf4eab49bd73d821d81c82bd2782b59c12309703d69d63473db6461db88ca912b331148177e7c8bd3f9e8aa987f3392589083

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
95KB

MD5
34e0db80c06716da916ceb09d23f3ccf

SHA1
bd5e732a81065c01488d06c93cc23a1ff14aa729

SHA256
1068bda69913bc9e95bf7d289514019585c49d5a7fb05d9381c9d593e11b134c

SHA512
cba4782bc72f460bc83a577b06387ac9e02de4c20aa4f501050b61c59234f77f832c68f479643c0be9ca2cd4e1dcabf4df7e521e77a7cfa58c46aa918b06efb1

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
95KB

MD5
9b8937d1f46fc54dbe63a0db65fc47c4

SHA1
458ef50fb1f58d5e3fd64d3e8894631aa31ce3df

SHA256
2362a92275304a29e1eecb4e88d41e807b30b0d7911d9b034c11e05f60755fea

SHA512
3b6e495dc2680f8c9c76d8322aa110c3d991243a2834ba5eaa86fe2e46f8924f4614bdda56c795c31b13f19da5ef7e2418d7536c3684b69bac173e132dd2465f

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
95KB

MD5
68a33db9d1fb56064a179bc97a570f6d

SHA1
688f139e80e2b2b63af2b13a23e3c01196e65ae6

SHA256
1c4e888fd5a077e5a46b7b47b6feaddde30d29d733d7bc56a7f3acc140da40ef

SHA512
af4bd7b29837e1eef5362929073d86fafe86c4df5f9c5d221a1d1b81e879d9b6774bfe5debd632b549a273519d3dfe4ea57259e46563b33f2f87d96b787236d5

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
95KB

MD5
f076afee87d5498814cc6cf18f172daf

SHA1
aedd726e4bcd214f57aa42628322e477bbdc024e

SHA256
4a5654e140fe7a7f4d5f9a81da98d00317192e71d4280d640b7177c4f68067ce

SHA512
45915ff72b8e7c5236f8b3321221d254e4ec2c1d7453fab8eff22737d5d27c431dd5b7258b027539598c45dd1e8336babb398190b82c4ea13ecbb39f254f5e59

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
95KB

MD5
43748d7a3613e74ee16a01176c91acfa

SHA1
b6430b96d9814f342ca2037ceb1dbf79ee31771c

SHA256
fbdef1b717dc59461cfa595f6dddd4af5a632bf1ef148a590f1b2ab7debb9241

SHA512
f441ef2fc7097c90b1f3c9ee8f35bdf9650da5163a776211fd60fedf50df5bd57a3e583acc48133c163312c770050bd60f7fc0fa9cbe0559e41c24f621b9f31a

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
95KB

MD5
83575a431d5f4df9f5d4f6b1e32906e7

SHA1
4d5d5a7053c8f9c2b276f7ff4148d49418a6923c

SHA256
c5737d0f46ed7c839b8058cc14b6564cb443e372ee1c2b27744ec8a466c706a6

SHA512
55330fa603cee1f347928bcd04e89ab2d814af8e5991a7f93fdfbcf0b2482195726dd7db5792c267c4d103089a43bdd3e782ea09f26a2f4c31bfca5b24880200

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
95KB

MD5
4a3d17c228ad3197a659e77e53e99d84

SHA1
7fc38690eaf873adc1ff264983189f96dad8e5b6

SHA256
d1e11f9b1fbe53d93807705c11d710e247a24492589f191543a776422a29dc5d

SHA512
2b40aa32dcd96417c67daf6cc555820a887af410fe92ee393eacc7a84847ae2785c24e8ec36056d570a95ded4eba6cffd11ddd2092246dd3e169bc8eb18fdfc9

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
95KB

MD5
c8e69947be8d8c509f604d59dd3395e1

SHA1
b4572b81cf311a876ef037135f65ccb2cf46e678

SHA256
975424b0fb0f7cdd063719f04471b9eae14dd3f407715df3ca2d0d5732fc836c

SHA512
d8c5b41ad93e987b414cc0f31c3a12da7ee44c614ab305373e8fdfa10657c28fefce48f7669c9947e0346c0edc835d390877e27547ca4a68a651b4c9d2ce63ad

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
95KB

MD5
332667a1824ebd91b778c344e27ce0b7

SHA1
76c53fd51ff1f54295e9f37e0a51788197c29423

SHA256
5fa9695fa02e96fc02604c349f69e1ace98268fea72e639b158bde7f25be8c40

SHA512
008738f3523f743e602bd8349785c3c7d385793ba7d8fd77c2034bd970561580d8c7bba86640847ab4a79cc997c9980fccdca5a729a54c60f2c383b0b9583540

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
95KB

MD5
3fd43a2cbc0bc8a4dd1683bb2c51fd7d

SHA1
50d27abe6bc54532b8f3ce76a5aa8cd1d1ab8f89

SHA256
ae8b9e589ff1b76785f0cf9d170fe905b1d4e95257c87314915e020fa8e0b0dd

SHA512
49a3e8dbe013ee247db946919bf65c0dcfee60c604da24918b20cd41d6a1c10093e9e8967779bedb697d39dc9a14cb22bd317d24351cf8e26e793f9e5bf7c96a

Download Submit
C:\Windows\SysWOW64\Daconoae.exe

Filesize
95KB

MD5
8381a215bceb09fe651bdd530e535795

SHA1
b8fde1690db3727db4133942bed122b8e4a084b5

SHA256
4ea3690ab72e1c7d5f17ee3c34fa6448c5c7ac92f86cf567f93e01295dc9ac49

SHA512
f16d1037125ac10445c3f4ce178f7b32fbfaa6020e1e7afb7716beb02553ab519ed9cc41b1170c78fe4520a9510a9b82b7295a5f4534cfd03f4f97b00a01edba

Download Submit
C:\Windows\SysWOW64\Ffcnippo.dll

Filesize
7KB

MD5
26dd05f70c020afeddaf3bfce73f0201

SHA1
1abbd7d415457ce4b40d0992aeb136943ca58217

SHA256
9997cc7110fa8cf82e23093b61a4f68d03b19d2fd6fff27fe7ea4656eefd41cc

SHA512
a2e38b2489b5ae1abe7a879b320697f171b76fc98e3f5348145fc674de7bb2efd85ac390b62df16f5aa8f037c2631a611110298a7bbd4cff6419adf2858de121

Download Submit
memory/468-340-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/468-445-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/536-16-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/768-24-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-438-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1000-382-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1012-253-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1060-159-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-424-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1072-432-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-239-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1144-460-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1220-0-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-328-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1348-447-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-304-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1356-451-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-376-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1428-439-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-448-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1448-322-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1620-87-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1740-167-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/1920-112-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-280-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2084-455-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2212-404-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2272-175-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2412-183-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-464-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2448-208-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2500-48-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-456-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2616-274-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2720-31-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2788-79-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-418-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2820-433-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-436-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2856-394-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-440-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2880-370-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-443-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/2996-352-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3116-44-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3140-191-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-458-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3260-262-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3380-95-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3396-128-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3404-298-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3404-452-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-286-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3456-454-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3548-103-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3584-72-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-461-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3660-232-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3692-120-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-406-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3832-434-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-316-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3892-449-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3936-135-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-430-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4120-431-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4124-151-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-450-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4308-310-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-292-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4416-453-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4436-199-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-364-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4444-441-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-346-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4500-444-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-437-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4508-388-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-224-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4528-462-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4532-7-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-216-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4544-463-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-459-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4568-256-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4636-58-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-457-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4736-268-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4740-67-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4764-143-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-446-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4808-338-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-412-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/4984-435-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-442-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/5112-358-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads