3ddfb18fc2ea90452196a43ec6c29d5f8f2aac65d34f72bbb6162f066f7ed7b7

Analysis

max time kernel
96s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 10:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

111118c66f96e3545a30c4c20683fd40N.exe
Size

896KB
MD5

111118c66f96e3545a30c4c20683fd40
SHA1

8bca63a00a1a8e13113bdcb80aead5d80e3c5525
SHA256

3ddfb18fc2ea90452196a43ec6c29d5f8f2aac65d34f72bbb6162f066f7ed7b7
SHA512

d045ec53d2222e2bdcd7a86806cf74bdc1dd3052f55ae69ddecc07d68c4b22620a28604584b8ba021f1852066381192c2ac4231dcc25b4980879754f44b439f0
SSDEEP

12288:dfgw4kdMByvNv54B9f01ZmHByvNv5VwLonfBHLqF1Nw5ILonfByvNv5HV:5gSjvr4B9f01ZmQvrUENOVvr1

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	111118c66f96e3545a30c4c20683fd40N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ncianepl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcncpbmd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pncgmkmj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pjcbbmif.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Pggbkagp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ncianepl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nngokoej.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Neeqea32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pjcbbmif.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnhahj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Accfbokl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Odkjng32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bjagjhnc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bhhdil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnneknob.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ofeilobp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	111118c66f96e3545a30c4c20683fd40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Odkjng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Nnjlpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Qnhahj32.exe

Executes dropped EXE 62 IoCs

pid	Process
1520	Nngokoej.exe
1348	Nnjlpo32.exe
3864	Neeqea32.exe
3012	Ncianepl.exe
1804	Nfgmjqop.exe
3768	Nnneknob.exe
1780	Odkjng32.exe
1816	Oflgep32.exe
4916	Ogkcpbam.exe
4120	Olhlhjpd.exe
1064	Ofqpqo32.exe
4564	Ofcmfodb.exe
3528	Olmeci32.exe
828	Ofeilobp.exe
2136	Pjcbbmif.exe
2468	Pqmjog32.exe
1552	Pggbkagp.exe
3684	Pcncpbmd.exe
2380	Pncgmkmj.exe
4668	Pqbdjfln.exe
2196	Qnhahj32.exe
4648	Qjoankoi.exe
4684	Qgcbgo32.exe
1456	Ampkof32.exe
2304	Anogiicl.exe
4280	Agglboim.exe
1180	Aqppkd32.exe
4664	Aabmqd32.exe
4244	Ajkaii32.exe
2352	Aadifclh.exe
2524	Accfbokl.exe
3796	Bnhjohkb.exe
2964	Baicac32.exe
4944	Bgcknmop.exe
2920	Bjagjhnc.exe
2632	Balpgb32.exe
4388	Bgehcmmm.exe
860	Bnpppgdj.exe
2696	Banllbdn.exe
1148	Bhhdil32.exe
4504	Bnbmefbg.exe
2456	Bapiabak.exe
4336	Chjaol32.exe
3004	Cjinkg32.exe
4420	Cabfga32.exe
4412	Chmndlge.exe
4408	Ceqnmpfo.exe
4956	Cdcoim32.exe
4584	Cagobalc.exe
3908	Cjpckf32.exe
2204	Cjbpaf32.exe
4480	Dhfajjoj.exe
3596	Danecp32.exe
3560	Dmefhako.exe
2188	Delnin32.exe
4008	Dhkjej32.exe
4396	Dodbbdbb.exe
4796	Dhmgki32.exe
4024	Dogogcpo.exe
3316	Deagdn32.exe
2616	Dgbdlf32.exe
2924	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ogkcpbam.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Laqpgflj.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Chmndlge.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Deagdn32.exe
File opened for modification	C:\Windows\SysWOW64\Neeqea32.exe	Nnjlpo32.exe
File created	C:\Windows\SysWOW64\Jilkmnni.dll	Ofcmfodb.exe
File created	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Gfghpl32.dll	Deagdn32.exe
File created	C:\Windows\SysWOW64\Qgcbgo32.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Cabfga32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Ofcmfodb.exe	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Baicac32.exe	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bhhdil32.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Cjbpaf32.exe	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Lcnhho32.dll	Oflgep32.exe
File created	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Kdqjac32.dll	Chmndlge.exe
File created	C:\Windows\SysWOW64\Nnjlpo32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Banllbdn.exe	Bnpppgdj.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Bapiabak.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Nfgmjqop.exe	Ncianepl.exe
File created	C:\Windows\SysWOW64\Ofqpqo32.exe	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Dbagnedl.dll	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Accfbokl.exe	Aadifclh.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cabfga32.exe
File created	C:\Windows\SysWOW64\Nkenegog.dll	111118c66f96e3545a30c4c20683fd40N.exe
File created	C:\Windows\SysWOW64\Hlfofiig.dll	Nnjlpo32.exe
File opened for modification	C:\Windows\SysWOW64\Ogkcpbam.exe	Oflgep32.exe
File created	C:\Windows\SysWOW64\Gcdmai32.dll	Ofqpqo32.exe
File created	C:\Windows\SysWOW64\Pqbdjfln.exe	Pncgmkmj.exe
File created	C:\Windows\SysWOW64\Qjoankoi.exe	Qnhahj32.exe
File opened for modification	C:\Windows\SysWOW64\Odkjng32.exe	Nnneknob.exe
File created	C:\Windows\SysWOW64\Donfhp32.dll	Olhlhjpd.exe
File created	C:\Windows\SysWOW64\Eflgme32.dll	Bgcknmop.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Bapiabak.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Nnjlpo32.exe	Nngokoej.exe
File created	C:\Windows\SysWOW64\Oflgep32.exe	Odkjng32.exe
File opened for modification	C:\Windows\SysWOW64\Pqmjog32.exe	Pjcbbmif.exe
File created	C:\Windows\SysWOW64\Deeiam32.dll	Pcncpbmd.exe
File opened for modification	C:\Windows\SysWOW64\Qgcbgo32.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Aqppkd32.exe	Agglboim.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Ncianepl.exe	Neeqea32.exe
File created	C:\Windows\SysWOW64\Aadifclh.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Agglboim.exe	Anogiicl.exe
File created	C:\Windows\SysWOW64\Nngokoej.exe	111118c66f96e3545a30c4c20683fd40N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2348	2924	WerFault.exe	148

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcncpbmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pjcbbmif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oflgep32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ogkcpbam.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofcmfodb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqbdjfln.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnhahj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnjlpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pqmjog32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabmqd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfgmjqop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olhlhjpd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Olmeci32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Neeqea32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofeilobp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pggbkagp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agglboim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	111118c66f96e3545a30c4c20683fd40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odkjng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Accfbokl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nngokoej.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nnneknob.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofqpqo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pncgmkmj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncianepl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnhho32.dll"	Oflgep32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnljnaa.dll"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Agglboim.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eokchkmi.dll"	Cjbpaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ogkcpbam.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll"	Ofcmfodb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qnhahj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aadifclh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqjac32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Neeqea32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Donfhp32.dll"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqmjog32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Baicac32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ceqnmpfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofcmfodb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kahdohfm.dll"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Oflgep32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Ampkof32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Delnin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	111118c66f96e3545a30c4c20683fd40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Aabmqd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Olhlhjpd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomibind.dll"	Pggbkagp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Bhhdil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Deagdn32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Ofqpqo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qihfjd32.dll"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Olmeci32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Pqbdjfln.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Dodbbdbb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1520	2248	111118c66f96e3545a30c4c20683fd40N.exe	84
PID 2248 wrote to memory of 1520	2248	111118c66f96e3545a30c4c20683fd40N.exe	84
PID 2248 wrote to memory of 1520	2248	111118c66f96e3545a30c4c20683fd40N.exe	84
PID 1520 wrote to memory of 1348	1520	Nngokoej.exe	85
PID 1520 wrote to memory of 1348	1520	Nngokoej.exe	85
PID 1520 wrote to memory of 1348	1520	Nngokoej.exe	85
PID 1348 wrote to memory of 3864	1348	Nnjlpo32.exe	86
PID 1348 wrote to memory of 3864	1348	Nnjlpo32.exe	86
PID 1348 wrote to memory of 3864	1348	Nnjlpo32.exe	86
PID 3864 wrote to memory of 3012	3864	Neeqea32.exe	87
PID 3864 wrote to memory of 3012	3864	Neeqea32.exe	87
PID 3864 wrote to memory of 3012	3864	Neeqea32.exe	87
PID 3012 wrote to memory of 1804	3012	Ncianepl.exe	88
PID 3012 wrote to memory of 1804	3012	Ncianepl.exe	88
PID 3012 wrote to memory of 1804	3012	Ncianepl.exe	88
PID 1804 wrote to memory of 3768	1804	Nfgmjqop.exe	89
PID 1804 wrote to memory of 3768	1804	Nfgmjqop.exe	89
PID 1804 wrote to memory of 3768	1804	Nfgmjqop.exe	89
PID 3768 wrote to memory of 1780	3768	Nnneknob.exe	90
PID 3768 wrote to memory of 1780	3768	Nnneknob.exe	90
PID 3768 wrote to memory of 1780	3768	Nnneknob.exe	90
PID 1780 wrote to memory of 1816	1780	Odkjng32.exe	91
PID 1780 wrote to memory of 1816	1780	Odkjng32.exe	91
PID 1780 wrote to memory of 1816	1780	Odkjng32.exe	91
PID 1816 wrote to memory of 4916	1816	Oflgep32.exe	92
PID 1816 wrote to memory of 4916	1816	Oflgep32.exe	92
PID 1816 wrote to memory of 4916	1816	Oflgep32.exe	92
PID 4916 wrote to memory of 4120	4916	Ogkcpbam.exe	94
PID 4916 wrote to memory of 4120	4916	Ogkcpbam.exe	94
PID 4916 wrote to memory of 4120	4916	Ogkcpbam.exe	94
PID 4120 wrote to memory of 1064	4120	Olhlhjpd.exe	96
PID 4120 wrote to memory of 1064	4120	Olhlhjpd.exe	96
PID 4120 wrote to memory of 1064	4120	Olhlhjpd.exe	96
PID 1064 wrote to memory of 4564	1064	Ofqpqo32.exe	97
PID 1064 wrote to memory of 4564	1064	Ofqpqo32.exe	97
PID 1064 wrote to memory of 4564	1064	Ofqpqo32.exe	97
PID 4564 wrote to memory of 3528	4564	Ofcmfodb.exe	98
PID 4564 wrote to memory of 3528	4564	Ofcmfodb.exe	98
PID 4564 wrote to memory of 3528	4564	Ofcmfodb.exe	98
PID 3528 wrote to memory of 828	3528	Olmeci32.exe	99
PID 3528 wrote to memory of 828	3528	Olmeci32.exe	99
PID 3528 wrote to memory of 828	3528	Olmeci32.exe	99
PID 828 wrote to memory of 2136	828	Ofeilobp.exe	101
PID 828 wrote to memory of 2136	828	Ofeilobp.exe	101
PID 828 wrote to memory of 2136	828	Ofeilobp.exe	101
PID 2136 wrote to memory of 2468	2136	Pjcbbmif.exe	102
PID 2136 wrote to memory of 2468	2136	Pjcbbmif.exe	102
PID 2136 wrote to memory of 2468	2136	Pjcbbmif.exe	102
PID 2468 wrote to memory of 1552	2468	Pqmjog32.exe	103
PID 2468 wrote to memory of 1552	2468	Pqmjog32.exe	103
PID 2468 wrote to memory of 1552	2468	Pqmjog32.exe	103
PID 1552 wrote to memory of 3684	1552	Pggbkagp.exe	104
PID 1552 wrote to memory of 3684	1552	Pggbkagp.exe	104
PID 1552 wrote to memory of 3684	1552	Pggbkagp.exe	104
PID 3684 wrote to memory of 2380	3684	Pcncpbmd.exe	105
PID 3684 wrote to memory of 2380	3684	Pcncpbmd.exe	105
PID 3684 wrote to memory of 2380	3684	Pcncpbmd.exe	105
PID 2380 wrote to memory of 4668	2380	Pncgmkmj.exe	106
PID 2380 wrote to memory of 4668	2380	Pncgmkmj.exe	106
PID 2380 wrote to memory of 4668	2380	Pncgmkmj.exe	106
PID 4668 wrote to memory of 2196	4668	Pqbdjfln.exe	107
PID 4668 wrote to memory of 2196	4668	Pqbdjfln.exe	107
PID 4668 wrote to memory of 2196	4668	Pqbdjfln.exe	107
PID 2196 wrote to memory of 4648	2196	Qnhahj32.exe	108

C:\Users\Admin\AppData\Local\Temp\111118c66f96e3545a30c4c20683fd40N.exe
"C:\Users\Admin\AppData\Local\Temp\111118c66f96e3545a30c4c20683fd40N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Windows\SysWOW64\Nngokoej.exe
  C:\Windows\system32\Nngokoej.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\SysWOW64\Nnjlpo32.exe
    C:\Windows\system32\Nnjlpo32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1348
  - - C:\Windows\SysWOW64\Neeqea32.exe
      C:\Windows\system32\Neeqea32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3864
    - - C:\Windows\SysWOW64\Ncianepl.exe
        
        C:\Windows\system32\Ncianepl.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\SysWOW64\Nfgmjqop.exe
        
        C:\Windows\system32\Nfgmjqop.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\SysWOW64\Nnneknob.exe
        
        C:\Windows\system32\Nnneknob.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\SysWOW64\Odkjng32.exe
        
        C:\Windows\system32\Odkjng32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1780
        
        C:\Windows\SysWOW64\Oflgep32.exe
        
        C:\Windows\system32\Oflgep32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\SysWOW64\Ogkcpbam.exe
        
        C:\Windows\system32\Ogkcpbam.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\SysWOW64\Olhlhjpd.exe
        
        C:\Windows\system32\Olhlhjpd.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\SysWOW64\Ofqpqo32.exe
        
        C:\Windows\system32\Ofqpqo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\Ofcmfodb.exe
        
        C:\Windows\system32\Ofcmfodb.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\SysWOW64\Olmeci32.exe
        
        C:\Windows\system32\Olmeci32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\Ofeilobp.exe
        
        C:\Windows\system32\Ofeilobp.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Pjcbbmif.exe
        
        C:\Windows\system32\Pjcbbmif.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\SysWOW64\Pqmjog32.exe
        
        C:\Windows\system32\Pqmjog32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\SysWOW64\Pggbkagp.exe
        
        C:\Windows\system32\Pggbkagp.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\SysWOW64\Pcncpbmd.exe
        
        C:\Windows\system32\Pcncpbmd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\SysWOW64\Pncgmkmj.exe
        
        C:\Windows\system32\Pncgmkmj.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Pqbdjfln.exe
        
        C:\Windows\system32\Pqbdjfln.exe
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4668
        
        C:\Windows\SysWOW64\Qnhahj32.exe
        
        C:\Windows\system32\Qnhahj32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\SysWOW64\Qjoankoi.exe
        
        C:\Windows\system32\Qjoankoi.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4648
        
        C:\Windows\SysWOW64\Qgcbgo32.exe
        
        C:\Windows\system32\Qgcbgo32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4684
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2304
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Aabmqd32.exe
        
        C:\Windows\system32\Aabmqd32.exe
        29⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4664
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Accfbokl.exe
        
        C:\Windows\system32\Accfbokl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2524
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3796
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2964
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2632
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2696
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1148
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4336
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4408
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3908
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2204
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4480
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4024
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2616
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 424
        64⤵
        Program crash
        
        PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2924 -ip 2924
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabmqd32.exe

Filesize
896KB

MD5
7587c0f4dbf8f89b09d22a0005352e25

SHA1
c9c98951e0d4a5a770fcfd8b2db4709c768a2cd7

SHA256
c641a65e9fd14a8e8552a48fa2d2b9c2f2adc166e0b49f3d05303a07eb19a71d

SHA512
3bfe87d46a17fe887f8a7db91ef45293389e7c2959d0de640d4c55bb65bbd1961751b4168a5b9dd314e37ac4341fa5205c5305897d364eebedc77170b78aacd6

Download Submit
C:\Windows\SysWOW64\Aadifclh.exe

Filesize
896KB

MD5
c7b143a3597f9757101e491f93c03056

SHA1
bcbce2888aae362d9144b0c5841a8d1ba228ccaf

SHA256
0aec1016d104a8f16de6bcd27fd9813d4b52c7b9e26e5c712eb07edafb9d5bf2

SHA512
84ad781aa93319248a1124d102744f30b1b01caa45912c3c21626e88261bee9a975007a3bfd72908acd884d9b728edad7ed0d50d4da724a8d63dcaab1169e9ed

Download Submit
C:\Windows\SysWOW64\Accfbokl.exe

Filesize
896KB

MD5
890fdb4c6e1b97477284c16998f80cee

SHA1
88c3e5f3bcc8582f8ffb7c2648eb2c62c54e98cb

SHA256
f69c42eb87f3472d9fc21a3a016c16eaf3dc4a8b9cd22bf42eadf8a3ad7fe38a

SHA512
5537ec8f56b5e50794cc7b0a1eef585a3756c007f88ad77a0dd88f8f0285b7ad09895fac9447e58d3d78c1d8fb668e6d59bd1dae7491c0af9a4637b1299fc083

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
896KB

MD5
43c25bd0f2a09fae4640b1b5e635502d

SHA1
1d91d793ec592e949646eca6f29aa0984c6c821f

SHA256
e2c15267f2fb5d5fca6ca1b28b4ba8a1e548f6c1564befdd4820561edc7bce87

SHA512
b045d6db27d01c9f4872bd62d7445ce39f67f7cf04f1e1f8b0398820767efe39d2912295eaade66484e9a4d86c1e8474591725df67b06b28d86614ed5cba9648

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
896KB

MD5
e5b2e74c3b3d2dcb1588c1436012b30c

SHA1
0729549c1d85c680a540158b04296bc0e41d8728

SHA256
3324e04e108e319866b280b523e1e3585dcfd28e25e0b96c8a5d62c8444fbd0f

SHA512
cbf75ee54eaa74ae2e4be35e2abdf0b0fe5fb3cbab36a3071bc14a36eb46dbb69871dead2897dea637788ff5633daf74a3fbb94b278ef6d2887cf567af505267

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
896KB

MD5
10f3c28a07715210ed9ac413e5a60330

SHA1
86fd04bd956edcb92a9832f2a035bb07853bf2d7

SHA256
1893d0af4bcd71e37c24959ffe3b56202110b3203f3fb1bd1d742f87f3c0a22d

SHA512
f96e829150ea6b1fa0f56da584006738e1c23144ecb7a2de2403694c51dec987eccf83afc1b77ac7e5029584603d686e2284cafbdab9ff7e17e84f272bbadfaf

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
896KB

MD5
b277fb0e2868d751160fb0a24b7bdff9

SHA1
17c7d99ecfe1da9849a86a1fd4179eca0885faa6

SHA256
a7af6a17980194ec1c6ad05fe93c95f803f97521493ab9a63c139a92fbce2901

SHA512
9c811a4c759072de0d1dd696e5b7c0044488a674bedceeb180c2e44f5a292eb63c21e9a3a6543ddf58838f134408a08ad98fc2f1796a64cde650d6814adb00c6

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
896KB

MD5
8b4dfe99334c2ddcca2d8993353a7dc4

SHA1
816308ea428b14964c615a5b286d7f301231621e

SHA256
9175cecc382c83dbd46a0212cdec4de4b94ebafdfe54d1b03b675875a83aba1f

SHA512
2ed6b79b3d69bca545272401267788e4c20f7aa56329ec1cbd38f6864f63c700b740c4c61cb8792f4906a314e311871def76b359a999d06569051295cd3578b5

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
896KB

MD5
5e3fa3b8b885804a9c2dd2039f8b2d27

SHA1
80f324e980ce2a38273fe3f0cd793ec256709b52

SHA256
6ed180550a8624967bbf6232c1f419336df8c03e78140019ca267920533a48b5

SHA512
bf0375b26d76fe86d518ee63feb8c98e256facd34e8786923ce59b8ce26d34afce92f6fb90396282d666579e3effac0dca6fb1c1dd2fc27da7f6286fe81cd5c9

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
896KB

MD5
c1f6c5eb2dcb19447d7372a8f49f2879

SHA1
c869331478cbe0ae60ee92c3b0c4615f93528147

SHA256
4d78ee61d4ffbcd10623ed5a3e52ae5029aa9e32c46fed438d273138f2304e66

SHA512
6b2d833210caed5c9c956cacfc0416f570907c11d21c26bbc6a9601a0fe9bb52951d14cc97768643999fcfff36cdaf7d7262bd783da7a1c6c11e4f57b67a1e1f

Download Submit
C:\Windows\SysWOW64\Cjbpaf32.exe

Filesize
896KB

MD5
1298c7f4bfa35e7cdc819e6695bd96f4

SHA1
ed73a655a2618140eb9185a825c221c0d96a6caf

SHA256
231684f77a1cc4531c5cb3b9586c675fa79ae6e2ae427a376f50bf3e7ea486d6

SHA512
589a636a6c6daa25fce6a25be97f623ae9c7f182cfe1e7debae334c670c525a50986f6bb50b6bc6990c4c56c6b80ab742b07724641456c1dd4c13a62a59dfd63

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
896KB

MD5
52fa00b2e33167f51d95526d5f4d2e28

SHA1
d17b488185c579d45ad8c79f81c55d967ffc3a03

SHA256
25c32d71a4d99d3358fda32392a2c1c419e2bb57614f76c6ee23dc5e5a3b5820

SHA512
c9151582c6c102ae6583eb762e9c57131a4f511faed875091aa647cf98db1b4fba00cc779fc4f7e6c3f24a5eeaa4b607ec251a183dcd0624b035383248d85419

Download Submit
C:\Windows\SysWOW64\Dodbbdbb.exe

Filesize
896KB

MD5
f8f6075f148fbecc81497db973ba06a0

SHA1
aae08695580f262ca828f0c56f9e0ea605b8c996

SHA256
38400a21ae85999c33b008419d16eb161f84925888a0beaf602060e72f3738be

SHA512
92fc6901d6d284c1b55acae33d330ee2183de4c33f2e626528650373ae34c64583b973977291abdd221549fc4e1e70ea453414fa701a0e7041e8f8e3a64f671a

Download Submit
C:\Windows\SysWOW64\Hjgaigfg.dll

Filesize
7KB

MD5
f335b58744357dbbdafe5514a0799ccf

SHA1
656c93f5ed8b40f8161543508122c0b025a7831a

SHA256
afc4f1014db2a545634833ea2642965e96f33840f2111d4afa39824a1395cda7

SHA512
a3e777aee8c4f8439f9f09f49fabe546ad6a0c8350e49822809e0cda40f90b385d3009172e8a6041fd8751863a6cee14aca8376c89d1ff234373ec4043355f96

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
64KB

MD5
89fa999684ce4ad062d71d4540b9a016

SHA1
66fafe4fbda175bb682d5fd97e57bdfa5e031b5b

SHA256
6383c7069e8b04bbe94cb32308088ea9091f5b75806f8751f0d92c3750f3436b

SHA512
1efefc3a9bfd992f63edfe9c969fe8cdc9f799933e7b6bf6e15e7a001c16d2258600852efc0a4cc9c7c1fe740e3eb6cfe408c71f34bb8c9d344122e153ae8bb2

Download Submit
C:\Windows\SysWOW64\Ncianepl.exe

Filesize
896KB

MD5
a13591054c72ae51a4749d39c996343d

SHA1
40f4b3c0da5cbbdc49964767b379a68cb90fe479

SHA256
19c8880ae2e116dbb097b48fd4504bb093f8506c1cccdedcd587544211d8fcd6

SHA512
da882e4513687369bb4f41f215d6dc4a1046a7ba00febc18eb8d9dba4ebabc751798ec559c7bf6f9c779919890f918740cf10d5bd3ed2a0600671172fa6d9c52

Download Submit
C:\Windows\SysWOW64\Neeqea32.exe

Filesize
896KB

MD5
08babe7ed692a1c430723b38d26e36d1

SHA1
89b5956d19b20c2b8c5a853904c11e59e33b0be2

SHA256
1cd8417509efc83e305d46a177642a335b1e134ccdd581646e162c19e139518d

SHA512
88664ec6cb7d9e148248dc995d371b143edb03d12478ea945ad0c7bf7b647a537799f447b9da89af1a903543ffe0aa5979ed156d365d2442a439fa7bb2c9fff7

Download Submit
C:\Windows\SysWOW64\Nfgmjqop.exe

Filesize
896KB

MD5
74770f90f45731036cf11bdd35b6985f

SHA1
b330cf2cc7e02b1222ee7bbf0f91aeeb89bb6aec

SHA256
c72d3a03e274e298f78e2e4bd45721d5bd622faffb84b695eae5cd365e0789c9

SHA512
4fe1e9d7de9e81c89f486bd2c1c6942949884225d72097cb1b8c31e28c58faf695195504f20aca2255b1c97e2e6a3833dc12f8acf34550a7e77c725bf8ca37d4

Download Submit
C:\Windows\SysWOW64\Nngokoej.exe

Filesize
896KB

MD5
74b03ad95664d60bdb2dd2499a8a4b70

SHA1
4701518c124cd043f15e3b391a56113aae19ffff

SHA256
7e3fea782e3373716157b31e1e6b8e5ef94c45c99f714b273fda2eb656cc9c8a

SHA512
6d465c4fc2c5fa2c614ba526414807afb04cd8737aaa26b06364989e36fa6d5986e380113416c241165bb9298bb251c24c6ea0e64426b01ee372f8b523ef3676

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
64KB

MD5
8a58d5275ddbfcd196547fa746b75aef

SHA1
d633c85de6aff9869b11bca988c65b2fa13a06a2

SHA256
1e795c6e4b66f954b28bf8913cba785ef5a5e87eb1b86f226e65e84f8a165433

SHA512
b71db6063ec5257359d6960b246ed37c0ccac64fa39fe4ddf16726eea73ee5ba79f9e9cef00f99aeec6dd8591883d05118c26d58e7461d63e5bc2739864887e4

Download Submit
C:\Windows\SysWOW64\Nnjlpo32.exe

Filesize
896KB

MD5
fbc5e63c9c675d8adcc980361a67f077

SHA1
f119bae9593025970006aae33eefeea6e3b59ad5

SHA256
38aed94b6e8e171696af6f499c4b19c2f1b799eae832d67eaee113d9622cc440

SHA512
bcb29b986aa32f70765e29071cce7c6b8e8f869c8a6cd02741e366d08e923838b63ba85ad44116cedff14fc1a11ec3713db1c1eb71002de296c0e7f71e560bf2

Download Submit
C:\Windows\SysWOW64\Nnneknob.exe

Filesize
896KB

MD5
c78c486685dd21cd5da35af82395b0e8

SHA1
701b079ecd5fc8ce96d5d72a8ddb727827c1f782

SHA256
5530d76174abdfc3e43aecb44ef4cc03f29e378940074e38ca5fc1e07d6bc8a2

SHA512
059f40fde3c83f1e2a7c2a76e740484752b684916e90d68364cb5f28b6030bc3ed803454e5ba59ac9afaee24b4595239667fda119251660b61a50fc31f51e2d7

Download Submit
C:\Windows\SysWOW64\Odkjng32.exe

Filesize
896KB

MD5
2712c4a20c470820dac551dac8f29b77

SHA1
33a525c9fded353b72615da3b6ea3bc7431ab6cb

SHA256
7e4e1ca03e5d56d612ff2652ad274c3db9ed8ae6a99d5215b160334a4b0b1e31

SHA512
1b2541094145e38b479e7d5b66fa064f33a70e9554a418a944ff0675c8ad5d08bff1e124847794cb6937c12a08219615f504d5551724d4ba348e4779a5b0f2ca

Download Submit
C:\Windows\SysWOW64\Ofcmfodb.exe

Filesize
896KB

MD5
0bcc6e58dd0390c95b8cfee2074370c9

SHA1
d5832578ee53f170b9e67a15691720d083213168

SHA256
371a6c0a2a714b56ec1c971049eeed5d0d4d2d4f7bd0939c89ab207e571ed1c2

SHA512
a25f3976a506c92619d918e28fd24a788db3974cae8a63736e9761930d38e70ff4d97c3ae1c53b46d0dca1933b6011f6179106a51d2dfd2e8b035d58431c225e

Download Submit
C:\Windows\SysWOW64\Ofeilobp.exe

Filesize
896KB

MD5
bbe2670e79500a6d436c2a09e10582d1

SHA1
8ce1a68a3379d92864372688e931a8722c1a252a

SHA256
e06bf3671abd3491e66775a163f93aabbc8413a72f43cbe72bb5a9171e6c0da3

SHA512
5de3a76010ce7bd1a58f5e53bd99647038ec467511c3e99fa89c95943bb235b1845ab245ee77a4bb6e9a870937dae82ca314b3a1dbc11653ebe4745a3733044d

Download Submit
C:\Windows\SysWOW64\Oflgep32.exe

Filesize
896KB

MD5
6fb3b757b8dcf7d7c0c95800c8cad04d

SHA1
2ed61341b14484a8abea825aea817b94c6a9ced4

SHA256
f89bb6aba4b2ad1c97e526af7199ee6994fccf3de9746f0dad48e8ceba51c044

SHA512
9fbb1e82d08bd51c59e6b3f1368af0913b367569573a034767954141cd9c9a792769e0aadcdd4f7241bfc62ccf64e57cf830fedac96e4cd878bb9bd1e8944eb4

Download Submit
C:\Windows\SysWOW64\Ofqpqo32.exe

Filesize
896KB

MD5
7d7fead49cd3453a8c230fff66eb3203

SHA1
a00b5848de94440e2791bba5b032c6ccebca24d9

SHA256
3b0a31179e050816aa787f781ec82831be791108242b29df523068078f48f487

SHA512
2651d7773277f01648af31bd5aba2d1bab24ade8a4572275b07a2392317e905f13a8e26d2cd80da99f234c8e6aa12dc9792fe7b97747e1bb01eaead90bcef2c5

Download Submit
C:\Windows\SysWOW64\Ogkcpbam.exe

Filesize
896KB

MD5
ba84def0228388b078b70f214b5e3184

SHA1
7b39a7da798d5b80bb68f9e478c14e2661efcba9

SHA256
4dd920ca2261527ac62a41949816177ca83e6d3388963404d71342d4a82b3382

SHA512
2598a7a15de476b2d0c859d62efe426584be0ba0b796f38a0966404adfa9f294585344602a6f88d0f51e8d5cb63949e6dfa30fb6cd02245f7e294ec8db0e09e9

Download Submit
C:\Windows\SysWOW64\Olhlhjpd.exe

Filesize
896KB

MD5
0ca796a82bd155f2f178206afc607d3d

SHA1
2d2d2c931d7b2f112bc7f1eb79202bb735fbd762

SHA256
f7912c0137662a6250e97d3a9331fa0057fc9066231ce7ef3159cb292a30b0c0

SHA512
8ef95df98fe4d63794516697bbc18ad9da9c1c32a2fca77e4fc7e32fcf3220898dae9d21b2169a9ec36cd77ef42bb0d50e154883fd998deec19e2a6e580cc524

Download Submit
C:\Windows\SysWOW64\Olmeci32.exe

Filesize
896KB

MD5
0c9026a3082e5f2315dc222fd94fd2c1

SHA1
9ccba31c3b2f635fd2fc7119315c4584eca8d514

SHA256
cb2ff982f058224c53e75f6a76fb4b9512866bd75f6fe8f98aab83c6d8994bd5

SHA512
3be8b452259ae9895580812ad918722d1405eb2d0dd8fd7d49846d46aa0135c4f529bf3adc2c55d1802f5ae00dc3a08f99c00a1cea38dff4d4cee69310cb022b

Download Submit
C:\Windows\SysWOW64\Pcncpbmd.exe

Filesize
896KB

MD5
b3001041322e4c9a8cfdd028a52c82b0

SHA1
68ea01123ca5f9dc28643bbe276a5bdcb77564dd

SHA256
9bf8ae6b96504d57d05cb28ee4317dad1d8e25cdec57bcddb392401c7949adc8

SHA512
37e4d7b7bb7a857a0108f1680a06acd7936637c3c4f3124c52032c5820047db1a5f6510e520ccc445506b0b4cb9fcd43e4330fba2fcb5f437287c51d4887efe0

Download Submit
C:\Windows\SysWOW64\Pggbkagp.exe

Filesize
896KB

MD5
12504fa86f2cf67820c486cd398bc05f

SHA1
e380f4d8fa8142c5fe9647bf5529da4388679aac

SHA256
7003d44efb01082a8df243fbb56aa4a98091c4b1d4bf0778345fa4d28f047ef5

SHA512
f2392e87439654081ff593d28a1847101225b419ba952286b968e1bed6e4211b99b10618004a9d3b84203c0a1d7a456a84e3477c358eb20acf7fc2622a378dfe

Download Submit
C:\Windows\SysWOW64\Pjcbbmif.exe

Filesize
896KB

MD5
e6c831b235ba7ed9b1108a237743f4c8

SHA1
19437f50eac885a64fed0666e0575ad498925045

SHA256
b601112b098333a25d8d822867031be3d8fa439e5b722f0f25bdfb1ac2130f9c

SHA512
32fb601311910234ba24193dc53c23b28548105ff2c22f06b897cc35a6486daae53eae96a3955255e76ce5c2d85ee160bcc4fbbc084724b2aa3d33153e924665

Download Submit
C:\Windows\SysWOW64\Pncgmkmj.exe

Filesize
896KB

MD5
543c3c2e8c786ff7053710b1c94abfed

SHA1
55f52c2e3142c3644f9122f4619c3adf4587a049

SHA256
f21ec6fb8c99f0b8ff8d277f5009569c20106fd33065cdb30101e2adf09bad5f

SHA512
e630289436b14c949fc562009fc577b45dcda46ee1d65e723caaa82c84081e8e566635cc9ca3560e4c71eb34c74fb4c10e07469187516c2807280419ca7f5da0

Download Submit
C:\Windows\SysWOW64\Pqbdjfln.exe

Filesize
896KB

MD5
190141e7059b014b01f994ab138f1913

SHA1
9900c03fc45880684789abbf8d5e7e1637b67833

SHA256
a2a8263542291ea94faa515b8cd50ee0698d8183535080fb43f26b5a5dc002f5

SHA512
314061df423512f7f99ee6c92ed047a84ac4191208b5ef87190df51969b438214d8bdf84dbdd594eec5320904855f0d995e321ecc2152c715ae5a00064748c34

Download Submit
C:\Windows\SysWOW64\Pqmjog32.exe

Filesize
896KB

MD5
c41e8fe6f82d34e3557947d8c0d06a0a

SHA1
a2e68c6fd5c1ac193616fe219532f89ba0c26b8f

SHA256
c1f9264020e329f8535e032fcadae2b8d5fa17e9977437b1324de72c095e9f9f

SHA512
f3caa053155e5852bab8703398cbd88bd0da3f305b94abaadebe04998aab3546e50b5f1ff331b2155dd8f7e127443007bb47e61cd802a861f0f14c20a85a3111

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
896KB

MD5
0e0c159593081c77638d48685458626d

SHA1
52881fa0d83e0a501160f2a410076cc10a5f0d3a

SHA256
dcc14280a5f4b11799080348671e09b6310004743a9594edadc73564c6459890

SHA512
3f00c29097be7a642797a79f8a3858a9db3900fae5a7a55754bcfbc97a5aff2e08761fe8dbf5428ef8a4a7ea665631f363903bc9c422fc99763e1f6b37665d76

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
896KB

MD5
580fc35dfe491827ecccef54d782de12

SHA1
37d9e4e629d0abb6c7f8418b81c5be1cd39a391b

SHA256
f1ae0af1e7dd506e052a966d5b71e52038a76095490466df123f3ff4641ecba7

SHA512
89f2d7c8069e153f817df89035a31490c07e0fb5a6e423da4722c760023d7e833468bb78405978f553992c75bb1f83a277b6448181dfc16385886b99ac9b202c

Download Submit
C:\Windows\SysWOW64\Qnhahj32.exe

Filesize
896KB

MD5
047da91d38e05628ee979d8d1d48b219

SHA1
bc1fcd7da94f29c7766d595bced1ae0c06eed462

SHA256
e46bea3942ceea467b294afe78ca178ddeb6b131777ed37a7b7d0c624109fe37

SHA512
4bcaa152e767436037f4763c518ab10dabe6509b0022546ec685b7d7853fc718f592a1f89920a51b0237e40117813a0b1b3c941b3daf3fd789b5c3460f579f7b

Download Submit
memory/828-111-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-485-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/860-292-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1064-87-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-481-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1148-304-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1180-215-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1348-16-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1456-191-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1520-8-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1552-136-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1780-56-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1804-40-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1816-64-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2136-119-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-452-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2188-394-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2196-167-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-460-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2204-370-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2248-0-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2304-199-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-240-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2352-501-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2380-152-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-477-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2456-316-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2468-133-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-499-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2524-248-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-440-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2616-430-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-280-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2632-489-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-483-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2696-298-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-274-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2920-491-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-436-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2924-439-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-262-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2964-495-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-328-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3004-473-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3012-36-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-443-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3316-424-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3528-103-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-454-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3560-388-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-456-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3596-382-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3684-144-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3768-47-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-497-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3796-256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3864-23-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-364-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3908-462-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-450-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4008-400-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-418-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4024-445-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4120-79-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-503-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4244-232-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4280-207-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-322-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4336-475-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-286-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4388-487-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-448-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4396-406-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-346-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4408-467-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-469-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4412-340-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-471-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4420-334-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-376-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4480-458-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-310-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4504-479-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4564-95-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-463-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4584-358-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4648-175-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4664-223-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4668-159-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4684-183-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-446-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4796-412-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4916-72-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-268-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4944-493-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-465-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/4956-352-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads