87bef386e1c3ca380d7fe9a408cfd99d919d9018e7dc15cc6645949c8b8bc688

Analysis

max time kernel
101s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd478f8020f849399976697ec71f7480N.exe
Size

111KB
MD5

dd478f8020f849399976697ec71f7480
SHA1

14ab4bd26af6e9e7c7426917503db7f70a6acee7
SHA256

87bef386e1c3ca380d7fe9a408cfd99d919d9018e7dc15cc6645949c8b8bc688
SHA512

228c96812e0b9fb4f9c6e5daa99219e0c5afe6cd4dddec48d536d9eab133c7204745115ad8c60fb4000c20782cf264df0b26293f423bd607f28dc79c2f88062e
SSDEEP

3072:/auBgZp5fS1v3BeYw0v0wnJcefSXQHPTTAkvB5Ddj:cp5fIfUmtnJfKXqPTX7DB

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Afhohlbj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dodbbdbb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	dd478f8020f849399976697ec71f7480N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qffbbldm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjokdipf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amddjegd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bclhhnca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe

Executes dropped EXE 64 IoCs

pid	Process
4048	Qqijje32.exe
2332	Qffbbldm.exe
3016	Anmjcieo.exe
4316	Ampkof32.exe
2484	Ageolo32.exe
1964	Afhohlbj.exe
2112	Aqncedbp.exe
372	Agglboim.exe
4888	Ajfhnjhq.exe
324	Amddjegd.exe
2408	Acnlgp32.exe
2400	Ajhddjfn.exe
3900	Amgapeea.exe
624	Acqimo32.exe
4924	Afoeiklb.exe
4028	Aminee32.exe
4920	Aepefb32.exe
3088	Bfabnjjp.exe
1512	Bmkjkd32.exe
3228	Bebblb32.exe
2964	Bjokdipf.exe
2212	Baicac32.exe
3192	Bgcknmop.exe
2848	Bnmcjg32.exe
4064	Balpgb32.exe
4020	Bgehcmmm.exe
4404	Bfhhoi32.exe
3224	Bmbplc32.exe
1156	Bclhhnca.exe
3972	Bjfaeh32.exe
3280	Bapiabak.exe
2392	Bcoenmao.exe
1756	Cjinkg32.exe
4340	Cndikf32.exe
2540	Cabfga32.exe
2092	Cdabcm32.exe
5112	Cfpnph32.exe
4044	Cmiflbel.exe
4752	Ceqnmpfo.exe
3316	Cdcoim32.exe
3732	Cfbkeh32.exe
3864	Cnicfe32.exe
1108	Cagobalc.exe
1376	Chagok32.exe
4748	Cjpckf32.exe
2676	Cnkplejl.exe
1132	Cajlhqjp.exe
2008	Cdhhdlid.exe
4612	Cjbpaf32.exe
4528	Calhnpgn.exe
2052	Dhfajjoj.exe
1988	Djdmffnn.exe
4880	Danecp32.exe
2196	Ddmaok32.exe
4536	Dfknkg32.exe
2852	Dmefhako.exe
3640	Delnin32.exe
1192	Dhkjej32.exe
4172	Dodbbdbb.exe
5064	Deokon32.exe
1076	Dhmgki32.exe
1112	Dkkcge32.exe
1684	Deagdn32.exe
1724	Dddhpjof.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Pkejdahi.dll	Afhohlbj.exe
File created	C:\Windows\SysWOW64\Oicmfmok.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Afoeiklb.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Calhnpgn.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ckmllpik.dll	Cfbkeh32.exe
File opened for modification	C:\Windows\SysWOW64\Afoeiklb.exe	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Bnmcjg32.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Deokon32.exe
File created	C:\Windows\SysWOW64\Ndhkdnkh.dll	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Ceqnmpfo.exe
File created	C:\Windows\SysWOW64\Jbpbca32.dll	Delnin32.exe
File opened for modification	C:\Windows\SysWOW64\Bebblb32.exe	Bmkjkd32.exe
File opened for modification	C:\Windows\SysWOW64\Baicac32.exe	Bjokdipf.exe
File created	C:\Windows\SysWOW64\Jpcnha32.dll	Bfhhoi32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Djdmffnn.exe	Dhfajjoj.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Bmbplc32.exe
File created	C:\Windows\SysWOW64\Bapiabak.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Jgilhm32.dll	Cdhhdlid.exe
File opened for modification	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Akmfnc32.dll	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Aoqimi32.dll	Qqijje32.exe
File created	C:\Windows\SysWOW64\Gmdlbjng.dll	Ajhddjfn.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Ajhddjfn.exe	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Cfpnph32.exe	Cdabcm32.exe
File created	C:\Windows\SysWOW64\Qqijje32.exe	dd478f8020f849399976697ec71f7480N.exe
File created	C:\Windows\SysWOW64\Dpmdoo32.dll	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Ajfhnjhq.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cabfga32.exe
File opened for modification	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File opened for modification	C:\Windows\SysWOW64\Anmjcieo.exe	Qffbbldm.exe
File created	C:\Windows\SysWOW64\Kahdohfm.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File created	C:\Windows\SysWOW64\Hdhpgj32.dll	Dhfajjoj.exe
File opened for modification	C:\Windows\SysWOW64\Qqijje32.exe	dd478f8020f849399976697ec71f7480N.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Bmbplc32.exe	Bfhhoi32.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cndikf32.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File created	C:\Windows\SysWOW64\Qffbbldm.exe	Qqijje32.exe
File created	C:\Windows\SysWOW64\Bhicommo.dll	Cabfga32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1048	4040	WerFault.exe	154

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjokdipf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhohlbj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anmjcieo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd478f8020f849399976697ec71f7480N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afoeiklb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdabcm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfhhoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajhddjfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qffbbldm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmcfdb32.dll"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqjamcpe.dll"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cagobalc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpggmhkg.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpfgbfp.dll"	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfiloih.dll"	Aminee32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmfnc32.dll"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diphbb32.dll"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ajhddjfn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qffbbldm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maghgl32.dll"	Amddjegd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dmefhako.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Anmjcieo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Afoeiklb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Acnlgp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkjpmk32.dll"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbloam32.dll"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	dd478f8020f849399976697ec71f7480N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 4048	3240	dd478f8020f849399976697ec71f7480N.exe	84
PID 3240 wrote to memory of 4048	3240	dd478f8020f849399976697ec71f7480N.exe	84
PID 3240 wrote to memory of 4048	3240	dd478f8020f849399976697ec71f7480N.exe	84
PID 4048 wrote to memory of 2332	4048	Qqijje32.exe	85
PID 4048 wrote to memory of 2332	4048	Qqijje32.exe	85
PID 4048 wrote to memory of 2332	4048	Qqijje32.exe	85
PID 2332 wrote to memory of 3016	2332	Qffbbldm.exe	86
PID 2332 wrote to memory of 3016	2332	Qffbbldm.exe	86
PID 2332 wrote to memory of 3016	2332	Qffbbldm.exe	86
PID 3016 wrote to memory of 4316	3016	Anmjcieo.exe	87
PID 3016 wrote to memory of 4316	3016	Anmjcieo.exe	87
PID 3016 wrote to memory of 4316	3016	Anmjcieo.exe	87
PID 4316 wrote to memory of 2484	4316	Ampkof32.exe	88
PID 4316 wrote to memory of 2484	4316	Ampkof32.exe	88
PID 4316 wrote to memory of 2484	4316	Ampkof32.exe	88
PID 2484 wrote to memory of 1964	2484	Ageolo32.exe	89
PID 2484 wrote to memory of 1964	2484	Ageolo32.exe	89
PID 2484 wrote to memory of 1964	2484	Ageolo32.exe	89
PID 1964 wrote to memory of 2112	1964	Afhohlbj.exe	90
PID 1964 wrote to memory of 2112	1964	Afhohlbj.exe	90
PID 1964 wrote to memory of 2112	1964	Afhohlbj.exe	90
PID 2112 wrote to memory of 372	2112	Aqncedbp.exe	91
PID 2112 wrote to memory of 372	2112	Aqncedbp.exe	91
PID 2112 wrote to memory of 372	2112	Aqncedbp.exe	91
PID 372 wrote to memory of 4888	372	Agglboim.exe	92
PID 372 wrote to memory of 4888	372	Agglboim.exe	92
PID 372 wrote to memory of 4888	372	Agglboim.exe	92
PID 4888 wrote to memory of 324	4888	Ajfhnjhq.exe	93
PID 4888 wrote to memory of 324	4888	Ajfhnjhq.exe	93
PID 4888 wrote to memory of 324	4888	Ajfhnjhq.exe	93
PID 324 wrote to memory of 2408	324	Amddjegd.exe	95
PID 324 wrote to memory of 2408	324	Amddjegd.exe	95
PID 324 wrote to memory of 2408	324	Amddjegd.exe	95
PID 2408 wrote to memory of 2400	2408	Acnlgp32.exe	96
PID 2408 wrote to memory of 2400	2408	Acnlgp32.exe	96
PID 2408 wrote to memory of 2400	2408	Acnlgp32.exe	96
PID 2400 wrote to memory of 3900	2400	Ajhddjfn.exe	97
PID 2400 wrote to memory of 3900	2400	Ajhddjfn.exe	97
PID 2400 wrote to memory of 3900	2400	Ajhddjfn.exe	97
PID 3900 wrote to memory of 624	3900	Amgapeea.exe	98
PID 3900 wrote to memory of 624	3900	Amgapeea.exe	98
PID 3900 wrote to memory of 624	3900	Amgapeea.exe	98
PID 624 wrote to memory of 4924	624	Acqimo32.exe	99
PID 624 wrote to memory of 4924	624	Acqimo32.exe	99
PID 624 wrote to memory of 4924	624	Acqimo32.exe	99
PID 4924 wrote to memory of 4028	4924	Afoeiklb.exe	100
PID 4924 wrote to memory of 4028	4924	Afoeiklb.exe	100
PID 4924 wrote to memory of 4028	4924	Afoeiklb.exe	100
PID 4028 wrote to memory of 4920	4028	Aminee32.exe	102
PID 4028 wrote to memory of 4920	4028	Aminee32.exe	102
PID 4028 wrote to memory of 4920	4028	Aminee32.exe	102
PID 4920 wrote to memory of 3088	4920	Aepefb32.exe	103
PID 4920 wrote to memory of 3088	4920	Aepefb32.exe	103
PID 4920 wrote to memory of 3088	4920	Aepefb32.exe	103
PID 3088 wrote to memory of 1512	3088	Bfabnjjp.exe	104
PID 3088 wrote to memory of 1512	3088	Bfabnjjp.exe	104
PID 3088 wrote to memory of 1512	3088	Bfabnjjp.exe	104
PID 1512 wrote to memory of 3228	1512	Bmkjkd32.exe	105
PID 1512 wrote to memory of 3228	1512	Bmkjkd32.exe	105
PID 1512 wrote to memory of 3228	1512	Bmkjkd32.exe	105
PID 3228 wrote to memory of 2964	3228	Bebblb32.exe	107
PID 3228 wrote to memory of 2964	3228	Bebblb32.exe	107
PID 3228 wrote to memory of 2964	3228	Bebblb32.exe	107
PID 2964 wrote to memory of 2212	2964	Bjokdipf.exe	108

C:\Users\Admin\AppData\Local\Temp\dd478f8020f849399976697ec71f7480N.exe
"C:\Users\Admin\AppData\Local\Temp\dd478f8020f849399976697ec71f7480N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\SysWOW64\Qqijje32.exe
  C:\Windows\system32\Qqijje32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4048
- - C:\Windows\SysWOW64\Qffbbldm.exe
    C:\Windows\system32\Qffbbldm.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\SysWOW64\Anmjcieo.exe
      C:\Windows\system32\Anmjcieo.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4316
      - C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\SysWOW64\Afhohlbj.exe
        
        C:\Windows\system32\Afhohlbj.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2112
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\Amddjegd.exe
        
        C:\Windows\system32\Amddjegd.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\SysWOW64\Ajhddjfn.exe
        
        C:\Windows\system32\Ajhddjfn.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\SysWOW64\Afoeiklb.exe
        
        C:\Windows\system32\Afoeiklb.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3088
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3228
        
        C:\Windows\SysWOW64\Bjokdipf.exe
        
        C:\Windows\system32\Bjokdipf.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3192
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2848
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4404
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3224
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3280
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2092
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3316
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1108
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2008
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4612
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4880
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4536
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2852
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1192
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4172
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5064
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1076
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:228
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4040 -s 416
        70⤵
        Program crash
        
        PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4040 -ip 4040
1⤵
PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
111KB

MD5
e573d3f1831509d85f0cb4d32a211df0

SHA1
16f29b005a8c2ecf92df6d0c33991d7ef1e18f01

SHA256
70b189781b85b2c15a2fec97c08bf8268862e2a262324481e3d59531fb2ce94b

SHA512
2e0575275fc7192efb8a7fbf30469ae1d020a3d20aee95a5c9d4ce08b9fb01bea04c11a450a1dce69802512ed7d8ff4ce5d087d27bd8a57b45caef40bd1ba82a

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
111KB

MD5
c9662460dad5b2e0f813a133e0f696f6

SHA1
4a91f2f5edf057056e495e409b81c9f36eb271c6

SHA256
cda9cde7fb8a56e634fa4ed5cfb185f99ade44165ca7a30f3cc4ec6ab54b90a0

SHA512
350a8d6b53f81224a51dc2d34421839681f729f1345ac90f9bd17a97085fd02e026ac95523a93c8164c63046155b74b50302de65cecca1d7662312cf325c817b

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
111KB

MD5
36fb6aeb07b9d18c5958e0dd73887b85

SHA1
64d7133cc2c6513bbb7eb6295bc8a9eaa68aa1e1

SHA256
e5467ae8135e4a8d4fcedee2fa05de264a98bff815e952143b7e6c2fa78b2675

SHA512
3bb212bc753eef707a90981ee2460be588a8d3e67385b800cc39b08707c0bd5c2e4ebf2dce7305485b8fb6f5994ca2495bae95df9745410df83f3f1cac054a4c

Download Submit
C:\Windows\SysWOW64\Afhohlbj.exe

Filesize
111KB

MD5
e1e9c62c545f5447a2c00c61991dcbaa

SHA1
2615c31d79ea66124f899115780d9827280d76b6

SHA256
090198f966868b0d335bddb1735591870929769420180e8536cc00df0172336c

SHA512
df6f117c7d71eed26e3cd586d3f214ee2a065ef3368db6ad0fcae0f6f6aaaff75f077c617b968f50ee580cae18663aaab5ab48fef3f0afada8b67cdfc58c383f

Download Submit
C:\Windows\SysWOW64\Afoeiklb.exe

Filesize
111KB

MD5
7643c714e41ef30c7b85eb4a532eb80b

SHA1
3febc44330d02dccb2be70a7f98601c800c9ba90

SHA256
35a4c20c5ec5426ec1f5428c6d9b981e0e8db560da703e1ee3a5bcaea47598e1

SHA512
607ce2d1e963789bfad5a67246b65598ad649a56858bcb5f750b5f0cf6acf1440f4526dc08ac08209d16c2ed94b870ad46bc3f3ab790453a17fd65b7c1c44ebc

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
111KB

MD5
57fee6831b9b8cd4ad04c5c196a81968

SHA1
21616b1d5dd202be9cff7917709f3dbc9baf27ed

SHA256
5c1045b78e0b59a778dde6258864cca0b6b3774178d2d84df385ad5700fea34b

SHA512
5d4a9fcf5918e46f0ac6f8891582c6410989392119d25ea584fbc2ad48df7b156509cb3b79c7988321674ac5009f540d4fa91de0e35ce7e6270952da77fb41bd

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
111KB

MD5
5d19feb4cf545811922c2c71e77a0b3d

SHA1
fc70ee6da360f4a5a31ed705d9c2b1b7b4457bab

SHA256
b119dd66e4190c8ad48bb8158852d4406c10626130f1018cf955ab682353ebb8

SHA512
4f788aba7e1a67acd3e4de89f053ca18425de7960deda4cb35c4f68fd6ee978ba7cee8a1b269f7a919e18b409297bc1b353364e35476edc8c869387e11bbdca8

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
111KB

MD5
88668cec3999814f5ca4ce3b393ff05d

SHA1
a8485c560a9c32a306d1adfa3d7d05ef205dca97

SHA256
c9c657dccbce98a3076c1c6cc99b9a91f78d204d9e1234bc2b720f60d6839d6f

SHA512
ef58a78637a410b09f5f6c3eed5cd0984db7ffadbfd90afcb53e398ffc389494de1e2c7fdaee179398e795eafcaec1f7ab63fcb2556a54928621b5acb2ffb0ec

Download Submit
C:\Windows\SysWOW64\Ajhddjfn.exe

Filesize
111KB

MD5
2bd5d9fc904b60e3b981b2640ca6e055

SHA1
7b6c564a513c277ecb0671d00a405168e7e30f53

SHA256
4d166309a55c79ca45dfae1abfa46580d5899e57a2bb756691c277709ead5999

SHA512
bbb7e04473a5b512369564f1cf13b3aa36218af03f3371c0ab5a605b514d223ddc78b9ac8180e12724c9fad8d4042c85cf49292613202b9878d4d52f6aac9e82

Download Submit
C:\Windows\SysWOW64\Amddjegd.exe

Filesize
111KB

MD5
cd8aaf994818797bd5eaf95412b73101

SHA1
9afc7fee982683654ea67816d6dea515dbe2b7bc

SHA256
965fe1d57d904675989c73171943765f0c50bafb3ba85e0437da092cc64afa28

SHA512
54742a8b2e824e5344bb6e2861e88c7f92b5aeec4de205d5636876d7ebd7cc46171817be7d6e69384440d5aba846cc906ed251cf68b3d0a599738e6ee458e4d6

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
111KB

MD5
5bb97af623f7b7c265f7204c644428e7

SHA1
c859100e8c3e717abda9b9406895e6f91c37bfe9

SHA256
9adeb445b60f813e9a6018c6dbebe84a456ff23a7ec2477541c0c296b52fad68

SHA512
23cb94653dab440502a08245d5b64eaacc1171c3ad7be2dfe2cd8bbe1286ac995dd8591680e946add59775b75faf89adb9870b1ee4734ccf0b6fbd8a7be1ddb1

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
111KB

MD5
9e006cce17e47f56fca08ff1e5a3f8ba

SHA1
9872eb027a1c2d74dfd14d49700ba3a5076eef44

SHA256
fde8bbd0dcab46a1d87e922b069de83f321a7df8d05cfd33b54582b61c6508c9

SHA512
77f5943d1cc8184b9194801d4ee32dea02923108c00c89022bb51783361bf20d8c5b02221d7e7185c6d57a13dd8f8b01ffa999a71e9247175dc3dbd6a915966b

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
111KB

MD5
0c8bb7da243c69cb1ff1f6e763fdf8d0

SHA1
5e8fa9d57e4e07712921b02d51e56139c683224e

SHA256
ef0c8c2c1bf65470a1b94c1c7da3367485cb0cb71137e48294b4704a490fd742

SHA512
00e31b1c8ce3e51203f0bfa895cb113e6f372bf2139ff17bc3414318e633d13a65373894015345193558cd6ea828f8516ab93cea2ca24847766deaf8422d4c8d

Download Submit
C:\Windows\SysWOW64\Anmjcieo.exe

Filesize
111KB

MD5
95acd8ee515f796ae044f956871e42d5

SHA1
59c5f97182ac656284ec85b84553bed6e34576ad

SHA256
690430ebe5685b84b23bd8df36d1a9cd6f65935ea59f86ac5ebe54d7aed2632d

SHA512
ad3fd2ac29ce0d41707a9385a45730c44c6eb865d99673cd678bd6b78c8374d9f4bdc89ba578b3c617198142e610a0690e972c09559be17e4765b1703b7e8108

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
111KB

MD5
8e40b620f26106ac555dbd568c7f750f

SHA1
0c1a366af6004d030c4e12da7226cead258362c7

SHA256
8d013aa28dd262279fdecd9e70d9fc01c8ffae5885494a0cfe03065a9a305298

SHA512
80f556842c35acb26a3726b1080791893c157ac345f3f49309471365ff61d01f3061d2b4100893f8a4d398c48d132232da942afa74641def449063f69545d707

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
111KB

MD5
69eabf217183944bad12b05b9f846f09

SHA1
a6487cf08838c0415bd4af33b98fb84828c91c86

SHA256
feba51ab6bc56877af52f2cd9962aceeb7caaeaa0e99c46eb45a12e4777e1dd9

SHA512
8a030142ffe9c2561535286f06401476e4abf0cd5eb8015c7c81039e85cf628fd8c796b247d87d7957426ce75934332f9b0f74a80d7c4c2210c6ac83f2970a63

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
111KB

MD5
7fc78dac05b0cc04562b88a9dab5da4b

SHA1
0aa904529ca541bebf73aa85940633dbe5596366

SHA256
1af981fcd2b2417025a784e18e5deb21df284eb25cc3d53bc35bbc7d121f24c6

SHA512
ef58b8e1a95e96e4e8940a3af221077303e08496c1c6bd7d5637e1436909bff1d05bb52edb46839c5a266d84b6fa9a89b3fff7541baf758db2a735c155e21c65

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
111KB

MD5
6e66b8c81381149538d4560b6afdf5fa

SHA1
8499013da9a81c38123b76b8d3e6b9fbc743cca2

SHA256
a0a0189b0959c1bffedaa10f338f020e60121f76c9a2531922ad760c503ceed3

SHA512
3aef60d63a6e2a8c8c2afbdc1c42d8b4e3487fd74eed1781623f21d1f9b9f13325cbe6a4bc497e4c02edd7e5a87bf66fc29b363449115804d415fbfe55e1f36b

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
111KB

MD5
b75449783a5e6e2df334b5c859d2c5e7

SHA1
a36677e0bc14812be54252ca33749ff38fe35367

SHA256
6e4530df5fe0dc314deaf7ce3f982118d601e50e5db4ef27765dd237433f512e

SHA512
fbf8e30bc77dffd1b5cb8901863aba5ec78d9b58fe8d7a666d738253561b71003bfb61fdef7185d101acd6ea807d8c54200955323bbac3389631caa9d44b16f0

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
111KB

MD5
5ff3a0c3ac1e81bc306a54f6cfa0af80

SHA1
9f9d46217ae075b48af072dfd25ba8cd3181f53d

SHA256
2acf3cd13ca8c8731582adc316404a8d6a94c5038b4d65e9c97475a885365085

SHA512
23a9c3aff751f65b8c16952742d5def04e5693c32371825538361a3178be6acd77aa719386ebf9bdff0ab62042b329486a218b8bc4b71d4606d5facc67bba484

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
111KB

MD5
b0907c5e28dbbad45616f685b4ea3cc8

SHA1
0646f02c264f3d4bb51daa2b623bad986e9f8755

SHA256
b62cbca24528019f520e4343c1512043b968b6f68398f581bc57f9ddc7ee99aa

SHA512
0b26c4af456c3373218fd5adcf611f79d07d08e2aecb727e91519406c962814e4a14ea4ad8be841f1b835574200b9d94f645c18d7e271597ef20b4311654c2a8

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
111KB

MD5
e2e11819c6862346323ba603e945ef76

SHA1
7a4a7135bf1f3353d2200e181ed0d790121afdbe

SHA256
d5c3f7dd62c8684491c90f78a9b795c01f951c514540de5f6e5dc866fdfcaea0

SHA512
706a4b15a8d9d3b48aee2bea881ba57d08d146c26e46c60597d3621b59cd07d097cc67391a29250daa77a70210552bbd647e83376481f92ff1592dd3fe7a3622

Download Submit
C:\Windows\SysWOW64\Bfhhoi32.exe

Filesize
111KB

MD5
73683eda1805591232cfa1587a7ae75c

SHA1
b910940b0c5b52463e0960ecb748457601a5b4b6

SHA256
002f0bb662d4140f9a512dbd0580a037b9bab1ec463fd242f23bfba0841430df

SHA512
ceb1454f98de9839495a1378c9dea5f9725616047d553d21260c7dac06dfde0361e806fea70573c9e5f4ba7d0337281aa3c826bba78205f18940b70e8db787b9

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
111KB

MD5
5b688864641e48932655431fcba9093f

SHA1
7ccba46f9ac05001ced6b31e921e9e966c9ef3bf

SHA256
c8ea7b1696f52ca68ce00dc70f24047770b4022fb3cccd6413d4a35e2e04a015

SHA512
5112360e2f3a332391dfee6a4d50a950bf13910c3992c61d6cdccb3ffaa725c9a8d7d266b0a52dd546a54f1d92f0bd59be73648b3005272408406a0783c0f1a8

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
111KB

MD5
7a1da8be2c16b7ff66e34c364199d241

SHA1
d9ad65332e166e1e50d9e9e49748e57ba2481458

SHA256
6e5bf9deb5306bca1158cfd6d0cfd344bf4ad81004af5ed56f937cf96093c6a2

SHA512
f4745825a998e690ffcd750c4fe903001b854c9331857f8e6fb879a284a5ff499cd8aa47663b164064c7464ea7a51a42ead835fb5052388f03dba5e34281a04b

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
111KB

MD5
afb672c31475c7e941680ae7d6753e34

SHA1
1ef3bb7127fb6580f071ad3ea880b06207964954

SHA256
8b5435b1a37c6f4525fc167f5d7ca41ffbb001e8bae9a780ac16fe6183fbff6c

SHA512
80106916d0922f95585faef7f567ff140f51a66940a4e3fb47545bfa6ad4785a433d39b1310a1d31483f43ebeaea50285d591cb55f3322b13b5c469c59fd6ae3

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
111KB

MD5
3624c074a0f60ebfcdaa5e7724cff7de

SHA1
acebe9f80ea6ab10591d42b7ffaeff859ff95ef0

SHA256
39b24a2014377efd0af9536213a0c202c1090e41be3fdc7f57da282e1bd4272f

SHA512
689612042d2bacd63d0f95bc2eb32c45f6e95a3888d87d80927ee13732577a85e94e5b625781fed784745895348c96185bc0d1d456f651e9e159392f739f5a39

Download Submit
C:\Windows\SysWOW64\Bjokdipf.exe

Filesize
111KB

MD5
7dd8b5746458b63c403cd298f6d502e0

SHA1
5ad5071f939bef9f9ff966f24ac04937b30b2834

SHA256
c1fccc9e0eae9782bbca9c9ac7a179732d3c22338ae11c738ec9a56f7e80e72d

SHA512
90f4be4574dc505ab85d145b16c6a8c4c5ed43c48e12f341af026c7aa29c3877a2ce4a68fbec62cacb9c6b8d8a5b7575327324d6a4556d2e3a960feb48716b7c

Download Submit
C:\Windows\SysWOW64\Bmbplc32.exe

Filesize
111KB

MD5
080bbd790b8bdb21ed399be660bf9547

SHA1
8afd6a04f6977cf0da749b172ba0e761aa3c4607

SHA256
8d08d144926f17a0eb11724457786fb1118f0cd8a0ea0587e2b9f5143fb623c1

SHA512
ba511f8e69d83a9be8e5845da4d1e7094d036e202de1e3fbdea717a14dc218752ef5fa1894a135036bae2b3a205361856216c13c17f8e3aeebff105928f11c23

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
111KB

MD5
6a423fc7a8d74176d71662d5515ee3ba

SHA1
39c6226a380fcc76b51b4ed5aa31c2a567a7db3d

SHA256
d74b7d0f65f6fb7ad173d02fa2e63e6a64da0e16197f521ebce266b0aa3cb537

SHA512
0982d7f7824766d6e522a17aa5075a44c741895c71265d2411ec516563ba59745711caf8c57362a1161e19ec79718bd1987c68e90f63089b2ccaf1b409fd7ece

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
111KB

MD5
4eed134bf26cc4798e103e2988b790ff

SHA1
d620f0a70ce7ddcf21504e44ee79eda06ff5177e

SHA256
7153079583818b673396cb7fa4a98afd741403f7911cfbfd0ea2d65873b8cf5b

SHA512
8814ef7edeae4f4d1cb85ca62377fcd982ff02c622aa5dc2519e677ccfcf382b367eb0d6ce04562bee24f9ff1a426c51f14f9345e401e267ca14f4f5d62d22d6

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
111KB

MD5
a73fb2c9a08bb571fd361a56b393ce8f

SHA1
2a8705ee777e3f866c8b356c333e1d7bc2df94dd

SHA256
926a30280df18095a319a5b0e11bd180319f4d738aac6ca96485cbb61c8e1511

SHA512
b5d24c1ec6688d6e8ea782fc88268278c302696301a12b1ceea159d8fd6746202aa0f00f0460dab51a0342fc277ea79dd16fe8ca6b25f1b66ba2a13f8c64516d

Download Submit
C:\Windows\SysWOW64\Dhmgki32.exe

Filesize
111KB

MD5
75ad9d4d5413e02a63bb79fe614ac052

SHA1
bc72948198e5f0cf37f37a9e9d3f075eea1c0f4e

SHA256
36fef0602bb62e4ad80015c3058e4a509a5e5e005c5921b7a67e3d41c078792f

SHA512
b25a8e658ad30b11012b86b5e2732298c4085091e7a6c3d648dad9c378120b0720928d3a2f6fee269968f359bd70379469732d64f053abf9611316f583351844

Download Submit
C:\Windows\SysWOW64\Efmolq32.dll

Filesize
7KB

MD5
7496b21d0bccdf7c3ef83ae4f97202cd

SHA1
1a14fda8e4bf7e14c95f9f355f83b859ad5cffe5

SHA256
f693d9dc0756711d410c213656347538fdfc54671d9a11aed2407afc92a3ac98

SHA512
9f3344a5477def754b6ebc729e64f295d3951103667e4bcadc1b63af5654366bdee044dd4927c30c2e44716aebe4b312f6b509c4d4bc7a387632999d91c3ec08

Download Submit
C:\Windows\SysWOW64\Qffbbldm.exe

Filesize
111KB

MD5
0e4d5ce24da943cf571f33a57ab3b52a

SHA1
413e1cc25b6df18664c1e9f30687f877f1cea4a7

SHA256
e56538bc5f4cd57a4affeaf3427c53d0337460444c0d04daa9305844cb4153c1

SHA512
d2c3f36c483b59841d7e86bea0a7ccd0c2e56af4e5dbf0d6d19ffd9ef3185aca2b2e236d104406711273e679e50d4df1ae8b4f61d445dc672fff7b514a91c89a

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
111KB

MD5
7fd0afc321120671c68a6db0c7b225f7

SHA1
bc849f8f47a92956640e2bbd6955c1a100162a5d

SHA256
cb74a608514f564b66733be6d2ab343668ed8fed960797e05919892f9f029596

SHA512
6e1dfd30402e0c95a65b4ba2fe0e22c3385a5388654e56c1f167e2c538baa790c1bc71e5ea9009f827d11c2468fb881337d0a48fb31e52455b8827515ee4d99c

Download Submit
memory/228-455-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/228-469-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/324-79-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/372-63-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/624-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-431-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1076-472-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1108-322-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1108-490-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1112-437-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1112-471-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-346-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1132-486-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-232-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-475-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-413-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-328-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1376-489-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1512-151-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-443-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1684-470-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1724-454-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1756-262-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1964-47-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-480-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1988-377-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-485-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2008-352-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-371-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2052-481-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2092-280-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2112-55-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-389-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2196-478-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2212-176-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2332-15-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2392-255-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2400-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2408-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2484-39-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2540-274-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-487-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2676-340-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2848-191-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-476-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2852-401-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2964-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3016-23-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3088-144-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3192-183-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3224-223-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3228-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3240-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3280-247-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3316-304-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3316-493-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3640-411-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3732-492-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3732-310-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-491-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3864-316-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3900-103-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3944-466-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3972-239-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4020-212-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4028-127-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-467-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4040-468-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4044-292-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4048-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4064-200-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-419-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4172-474-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4316-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4340-268-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4404-216-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-365-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4528-482-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-395-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4536-477-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-484-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4612-358-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-488-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4748-334-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-494-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4752-298-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-479-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4880-383-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4888-71-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4920-135-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4924-119-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-483-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5036-359-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-425-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-473-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5112-286-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads