8d52e06e3cd34a76cb4f0ab16404dcb6b9672df7dcd357af7bb1025017102a34

Analysis

max time kernel
104s
max time network
104s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

893ac6d148f9633f2df221e9aeff7890N.exe
Size

49KB
MD5

893ac6d148f9633f2df221e9aeff7890
SHA1

55e736865776bb36779d74986914eebcb21ac059
SHA256

8d52e06e3cd34a76cb4f0ab16404dcb6b9672df7dcd357af7bb1025017102a34
SHA512

2f75033f958f7bfb482fe9e46c87fe9bda6d513dea7f6c7a315834ccbd0a3a3552d1ec93272d6ed80186cbf5ccf4f3b3b119be9ba850064bbaec3c96d9388412
SSDEEP

768:EPS+qMSjTTxAjKokv6VISHL2LHoFWwST3wIjnMeIbdguyMmQn/1H5uL2Xdnh7:E6+0jTTx8KbSuSHsHoFwA3OuRmWY4l

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Agoabn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daconoae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	893ac6d148f9633f2df221e9aeff7890N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bagflcje.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcebhoii.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfpgffpm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cdhhdlid.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfdodjhm.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	893ac6d148f9633f2df221e9aeff7890N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe

Executes dropped EXE 59 IoCs

pid	Process
3988	Acqimo32.exe
3440	Aglemn32.exe
5016	Ajkaii32.exe
396	Aadifclh.exe
2948	Agoabn32.exe
828	Bjmnoi32.exe
3808	Bagflcje.exe
460	Bcebhoii.exe
2216	Bfdodjhm.exe
2832	Bmngqdpj.exe
2016	Beeoaapl.exe
4400	Bgcknmop.exe
2516	Bnmcjg32.exe
1516	Balpgb32.exe
2052	Bcjlcn32.exe
4072	Bjddphlq.exe
4584	Bnpppgdj.exe
432	Beihma32.exe
3216	Bhhdil32.exe
1756	Bjfaeh32.exe
364	Belebq32.exe
4504	Chjaol32.exe
3136	Cndikf32.exe
864	Cenahpha.exe
944	Cfpnph32.exe
692	Cnffqf32.exe
4376	Ceqnmpfo.exe
4876	Chokikeb.exe
3828	Cfbkeh32.exe
2292	Cmlcbbcj.exe
1828	Cagobalc.exe
3452	Cdfkolkf.exe
1504	Cfdhkhjj.exe
4080	Cjpckf32.exe
3480	Cmnpgb32.exe
2564	Cajlhqjp.exe
4764	Cdhhdlid.exe
5020	Cffdpghg.exe
1220	Cnnlaehj.exe
5044	Calhnpgn.exe
4476	Ddjejl32.exe
3068	Dfiafg32.exe
3256	Dopigd32.exe
536	Dmcibama.exe
548	Dejacond.exe
2468	Dhhnpjmh.exe
2748	Djgjlelk.exe
1200	Delnin32.exe
2808	Dhkjej32.exe
2196	Dfnjafap.exe
3652	Dmgbnq32.exe
5088	Daconoae.exe
3340	Ddakjkqi.exe
2700	Dfpgffpm.exe
1532	Dogogcpo.exe
3060	Daekdooc.exe
4880	Dddhpjof.exe
4912	Dknpmdfc.exe
4828	Dmllipeg.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Amjknl32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Delnin32.exe	Djgjlelk.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Ihidlk32.dll	Bmngqdpj.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Cnnlaehj.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Bcebhoii.exe	Bagflcje.exe
File created	C:\Windows\SysWOW64\Hjjdjk32.dll	Balpgb32.exe
File created	C:\Windows\SysWOW64\Belebq32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Ooojbbid.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Iqjikg32.dll	Beihma32.exe
File created	C:\Windows\SysWOW64\Jfihel32.dll	Belebq32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dogogcpo.exe	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Cdfkolkf.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Hhqeiena.dll	Bcjlcn32.exe
File opened for modification	C:\Windows\SysWOW64\Ceqnmpfo.exe	Cnffqf32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cndikf32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Ceqnmpfo.exe
File opened for modification	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Dmgbnq32.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Bgcknmop.exe	Beeoaapl.exe
File opened for modification	C:\Windows\SysWOW64\Bhhdil32.exe	Beihma32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File opened for modification	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Abkobg32.dll	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Bmngqdpj.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Gmcfdb32.dll	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Acqimo32.exe
File opened for modification	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aadifclh.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Nokpao32.dll	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	893ac6d148f9633f2df221e9aeff7890N.exe
File created	C:\Windows\SysWOW64\Dhhnpjmh.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Dfiafg32.exe	Ddjejl32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File opened for modification	C:\Windows\SysWOW64\Bfdodjhm.exe	Bcebhoii.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cenahpha.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Chokikeb.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3668	4828	WerFault.exe	145

System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aadifclh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddjejl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcjlcn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfpgffpm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bagflcje.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddakjkqi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	893ac6d148f9633f2df221e9aeff7890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bhhdil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjfaeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjdjk32.dll"	Balpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dmgbnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfpgffpm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqfhilhd.dll"	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akichh32.dll"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnieoofh.dll"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poahbe32.dll"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	893ac6d148f9633f2df221e9aeff7890N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfanhp32.dll"	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Echdno32.dll"	Cmlcbbcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchfiejc.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhqeiena.dll"	Bcjlcn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingfla32.dll"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Delnin32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	893ac6d148f9633f2df221e9aeff7890N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnpppgdj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aadifclh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bmngqdpj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Delnin32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3988	1328	893ac6d148f9633f2df221e9aeff7890N.exe	84
PID 1328 wrote to memory of 3988	1328	893ac6d148f9633f2df221e9aeff7890N.exe	84
PID 1328 wrote to memory of 3988	1328	893ac6d148f9633f2df221e9aeff7890N.exe	84
PID 3988 wrote to memory of 3440	3988	Acqimo32.exe	85
PID 3988 wrote to memory of 3440	3988	Acqimo32.exe	85
PID 3988 wrote to memory of 3440	3988	Acqimo32.exe	85
PID 3440 wrote to memory of 5016	3440	Aglemn32.exe	86
PID 3440 wrote to memory of 5016	3440	Aglemn32.exe	86
PID 3440 wrote to memory of 5016	3440	Aglemn32.exe	86
PID 5016 wrote to memory of 396	5016	Ajkaii32.exe	87
PID 5016 wrote to memory of 396	5016	Ajkaii32.exe	87
PID 5016 wrote to memory of 396	5016	Ajkaii32.exe	87
PID 396 wrote to memory of 2948	396	Aadifclh.exe	88
PID 396 wrote to memory of 2948	396	Aadifclh.exe	88
PID 396 wrote to memory of 2948	396	Aadifclh.exe	88
PID 2948 wrote to memory of 828	2948	Agoabn32.exe	89
PID 2948 wrote to memory of 828	2948	Agoabn32.exe	89
PID 2948 wrote to memory of 828	2948	Agoabn32.exe	89
PID 828 wrote to memory of 3808	828	Bjmnoi32.exe	90
PID 828 wrote to memory of 3808	828	Bjmnoi32.exe	90
PID 828 wrote to memory of 3808	828	Bjmnoi32.exe	90
PID 3808 wrote to memory of 460	3808	Bagflcje.exe	91
PID 3808 wrote to memory of 460	3808	Bagflcje.exe	91
PID 3808 wrote to memory of 460	3808	Bagflcje.exe	91
PID 460 wrote to memory of 2216	460	Bcebhoii.exe	92
PID 460 wrote to memory of 2216	460	Bcebhoii.exe	92
PID 460 wrote to memory of 2216	460	Bcebhoii.exe	92
PID 2216 wrote to memory of 2832	2216	Bfdodjhm.exe	93
PID 2216 wrote to memory of 2832	2216	Bfdodjhm.exe	93
PID 2216 wrote to memory of 2832	2216	Bfdodjhm.exe	93
PID 2832 wrote to memory of 2016	2832	Bmngqdpj.exe	94
PID 2832 wrote to memory of 2016	2832	Bmngqdpj.exe	94
PID 2832 wrote to memory of 2016	2832	Bmngqdpj.exe	94
PID 2016 wrote to memory of 4400	2016	Beeoaapl.exe	95
PID 2016 wrote to memory of 4400	2016	Beeoaapl.exe	95
PID 2016 wrote to memory of 4400	2016	Beeoaapl.exe	95
PID 4400 wrote to memory of 2516	4400	Bgcknmop.exe	96
PID 4400 wrote to memory of 2516	4400	Bgcknmop.exe	96
PID 4400 wrote to memory of 2516	4400	Bgcknmop.exe	96
PID 2516 wrote to memory of 1516	2516	Bnmcjg32.exe	97
PID 2516 wrote to memory of 1516	2516	Bnmcjg32.exe	97
PID 2516 wrote to memory of 1516	2516	Bnmcjg32.exe	97
PID 1516 wrote to memory of 2052	1516	Balpgb32.exe	98
PID 1516 wrote to memory of 2052	1516	Balpgb32.exe	98
PID 1516 wrote to memory of 2052	1516	Balpgb32.exe	98
PID 2052 wrote to memory of 4072	2052	Bcjlcn32.exe	99
PID 2052 wrote to memory of 4072	2052	Bcjlcn32.exe	99
PID 2052 wrote to memory of 4072	2052	Bcjlcn32.exe	99
PID 4072 wrote to memory of 4584	4072	Bjddphlq.exe	100
PID 4072 wrote to memory of 4584	4072	Bjddphlq.exe	100
PID 4072 wrote to memory of 4584	4072	Bjddphlq.exe	100
PID 4584 wrote to memory of 432	4584	Bnpppgdj.exe	102
PID 4584 wrote to memory of 432	4584	Bnpppgdj.exe	102
PID 4584 wrote to memory of 432	4584	Bnpppgdj.exe	102
PID 432 wrote to memory of 3216	432	Beihma32.exe	103
PID 432 wrote to memory of 3216	432	Beihma32.exe	103
PID 432 wrote to memory of 3216	432	Beihma32.exe	103
PID 3216 wrote to memory of 1756	3216	Bhhdil32.exe	104
PID 3216 wrote to memory of 1756	3216	Bhhdil32.exe	104
PID 3216 wrote to memory of 1756	3216	Bhhdil32.exe	104
PID 1756 wrote to memory of 364	1756	Bjfaeh32.exe	105
PID 1756 wrote to memory of 364	1756	Bjfaeh32.exe	105
PID 1756 wrote to memory of 364	1756	Bjfaeh32.exe	105
PID 364 wrote to memory of 4504	364	Belebq32.exe	107

C:\Users\Admin\AppData\Local\Temp\893ac6d148f9633f2df221e9aeff7890N.exe
"C:\Users\Admin\AppData\Local\Temp\893ac6d148f9633f2df221e9aeff7890N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\Acqimo32.exe
  C:\Windows\system32\Acqimo32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\SysWOW64\Aglemn32.exe
    C:\Windows\system32\Aglemn32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\Ajkaii32.exe
      C:\Windows\system32\Ajkaii32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\SysWOW64\Aadifclh.exe
        
        C:\Windows\system32\Aadifclh.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:396
      - C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Bagflcje.exe
        
        C:\Windows\system32\Bagflcje.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\SysWOW64\Bcjlcn32.exe
        
        C:\Windows\system32\Bcjlcn32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4072
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Bhhdil32.exe
        
        C:\Windows\system32\Bhhdil32.exe
        20⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:364
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3136
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3828
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2292
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1828
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3452
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4080
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3480
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2564
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4764
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5020
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5044
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4476
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3068
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3256
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:548
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2748
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2700
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4828
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 396
        61⤵
        Program crash
        
        PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4828 -ip 4828
1⤵
PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aadifclh.exe

Filesize
49KB

MD5
eb769b4ea7aa5d35116925019a4d14a1

SHA1
79a8cff1501a9b94c13765474c0f6d6f068e8603

SHA256
db7365348aead72a09b20897fd2dc09fbdcd39d14543c960195e291ade1dfb09

SHA512
524ab586f2802b8dc88675ed73bd2541494939ebc689300664e4eb00634989cf945cf4c4d516e2d00ba44bf110760673396345c3385606a22878cf72c5004b2e

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
49KB

MD5
399c58374f78a21572458d500fdebbc5

SHA1
085b0cd5422187e1563096b60e671525510f4745

SHA256
643475e09b34b68e5f5d1d3a32f6a752102a5aaa7c3fb2dc995b852f0441ffe6

SHA512
8b94a824cb80495e61aea4b5c37db33345819080903066048e687f51351f5699b9ecefd32d4b093b1a9b4bbabc46f77bfc16f0c06c2ae7b897aece0fbac476ab

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
49KB

MD5
590ad15da10fa50f19cbbfc47fe63f62

SHA1
a9f540b3f611cded1e830bf28879b502df4a0806

SHA256
03e4dd4c0f1cad867a6f472c810c5c75d88332366c506b3b0892f3f9f0432af3

SHA512
be568e0a0163c9a2bdefe1fa92c0f1999039d9e85deddbe87d9637d70b2d239acb446b9e9dbd177fa1db7e74544ae74a2fb5e27b2b368acd5adbef267aab6a55

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
49KB

MD5
79efb4d4076b79b5c821ee91df947b1c

SHA1
f81f88c2d220f19f02f1840222e7d610c2e2f156

SHA256
fe02f1f4f4974e74a5551af0553fc211dcfe7528472fdb6fc0f4d8595f093e32

SHA512
5f9f1135b3470910684f3d1dc8b823b29efea2c6df025afbceb019e0132c93cee99ec516ca310ef791d41a827cbd0477f76ed13e39ad4cc048bd4784dcdb760d

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
49KB

MD5
7b6d2fef70ab591acc9330b428af6d51

SHA1
14ecbf4c10a6d9ab963506e3a919f461f8cacdf3

SHA256
f75ac04093e0c40178c1d65ea9f76f01c1d87aea39b545f878286672ca779cbf

SHA512
48693bfe8ea328ea1133894581bf50d7f1b8ed928e1b4c8d5b3afebb1268c8ea19430175adfbbd0c0252abf267d4621d111d288a2092ef27f9b58e57dc6ce853

Download Submit
C:\Windows\SysWOW64\Bagflcje.exe

Filesize
49KB

MD5
14a7e651bd2d7aa1ae23f4e6c4000fb7

SHA1
f5f704a0bf75009c2f5f0887434550e0c0f7ecc9

SHA256
fa80ba961b50ff82435531b8940a6d582ed595e9880098587ab16bbd2af71c19

SHA512
1b272bac6df9d0f63b0261228a8d313d313157f27a71d9dbbfa5c0f857599764a970ce92338665d53a7c4953912db9a227f95b28ab1b48adb09b129ba00ff012

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
49KB

MD5
671a925da59fc580a95a75d0585d5887

SHA1
34fa2b76839674246f069c1e55bce39d36c9a902

SHA256
82d53f089d7fc2c207fa6a0ebb90ffe582f4e21597f09e3d110acb0bee5d733f

SHA512
2599e7ac46fa362c331b4b4ba10e77ec6c2bcee772f77430a6b009a42d927e832a82a52305fdbeb117d5f9c76ce04bf51f58d4bc792477e2849d6f368d0aa8fd

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
49KB

MD5
572c1ffebd715a50e50ecd428eaf2e26

SHA1
c1194d132ae1b3466364e4adf87c2531ecca259a

SHA256
26b7136b658962002369fb762deca32685f4418696a737c51ac05480defaf15f

SHA512
c98fe5dc8eee5b788f9783e5e33f4e4e9c7923a56644d927c946459269d1d2409679be2330a079012e8608a2da055afb5ae2d016d51c9bc7619500facc664299

Download Submit
C:\Windows\SysWOW64\Bcjlcn32.exe

Filesize
49KB

MD5
4714f1503aeba9900e86daeee648b58c

SHA1
30a85e4d5aa1be5af7b29e02ec29b9d5e7fe709a

SHA256
4c6c8cb4867f942b172da273bab431f6f370b2384958a64c5bb7e00eb386c90a

SHA512
ec1586c0891a1245648a1ae13231c85408086badcdec1810252289d6a6d08fae455100fb77be93abd26377f234b2fb80eafbc14c3cbfc8ecb6da83c2656ef9a4

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
49KB

MD5
ef7d3cece84e8b75f43f56c1abf58419

SHA1
b78a668f18afb04a2fd3c2651592c79055de4184

SHA256
d9b0407a7adb45cce5e96e681ab6728e88f4d6210bef0cc3ef3655699cd77242

SHA512
d3e59ba48f087e4bd14f95e8618bdc9ef3df290baf6ebfb5bbd94607c1e8f400032ce16ed99ae59f1f911330b8e42bd8651055e3660fafddcfeeb9466d764205

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
49KB

MD5
13d91f9daecfc6f6d9256b7711c757a7

SHA1
2796c5f3ada56ad9dc3c2eacaadaafe358b66d30

SHA256
efd482eaef356cab1fddc383a4e91750bc1a2643c3a761a8425f51576ce6d8cf

SHA512
008530fb04a9bc50caca9ff56716c3edad1e8619e049b33a1279bcdc4b6079a6c4dbc7050bbcf9b37d05187c42e79869a5d4d1e6683bb2e9ff0d61ece0fbbdfe

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
49KB

MD5
118ff37d22d87628bb6c60d7d0e6615c

SHA1
629874481907ebf98ec1eef7f7f88d9f72fb9ee2

SHA256
dfe2f96fa02a6a15950e964a2274fe9f7305daecf4848deaf27ed3363f8ce70b

SHA512
1b4ae790906cc922933abb332aca9ce1f14f982de5019b4d5eb7c748958806c8963eac9a5ba4408e1ec50cbb28d6f17f9847599b59c6f3badb6d504e54bb1036

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
49KB

MD5
cc3862af775305084dad3e0719365f95

SHA1
8da1d896fe2104496c23b0cd604a1e22d4b76e5d

SHA256
e3d8b2de5e662310571d0373a5194584d9e0fbbc5172c049656eb7b0664902d3

SHA512
64ca398975c7312d01a177eb0216ffe056c76b02e04b49382abbec5ff46f5437cdd4b7f062b0f203ceeedb527c47301be7f3b39e89ab7ed0764fe8243aa2d108

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
49KB

MD5
cc174b454a9c505b3eaaa64c50da80e8

SHA1
846b9d6758e5d529f73148c5fc91ca83b2762e8c

SHA256
a3871db3b51f65bb1182bb06d7377eac12965af77620787f98b99db7130d7730

SHA512
250d96bc1244d4760f93ca736dc699a4c9d3e9385ca1f23c8178511f8aa43c08a1e2d5e608e2d812b8b4c09f17c5545dfb6eb8b83db9c1368b98bd48a27cb00b

Download Submit
C:\Windows\SysWOW64\Bhhdil32.exe

Filesize
49KB

MD5
67e9128bb2eae7445f7b4e961c324d54

SHA1
9943467cdd5a5a2238e55db3098b4243c9980dfd

SHA256
b46a0ed5c8348e19825f2eb4b8a2d98503550fd24c34dfba54ed4b27e8f0ce1b

SHA512
6af17e2992b3a9d071e71961ecad31ce5addccde49aa92807bccb0642378704fa8c445d947ed83c0533e5a427b460fa93a1e8bf598429a8cd6d0cf0803079ed9

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
49KB

MD5
0d1b89ac8a41f7c52e715d97579fa920

SHA1
8485e320dffabfd8951e0c2cc8fa9ff55f158468

SHA256
3286d250eeea98baae1b25b89a846909ab683e882557a21df4dd967c01407a40

SHA512
c3bae28f758e0f9d453889a3aafd3be70ac3b9e9b4a697e85158e20c79ae8c991356e050af4ddf140c9d54297157ab102d67b3a3de690207a34995f1faced771

Download Submit
C:\Windows\SysWOW64\Bjfaeh32.exe

Filesize
49KB

MD5
e5ef93606fc8a3bbc197240e9af35b60

SHA1
919783f3e2e375ba3e127dd079165ca2153a3c67

SHA256
b9e72051ac8e275e29feb72a032c3d2299e6348b059133cef7a51127364c08df

SHA512
a711fb3047ff354bdcbf5e0cf676e1b263eeb4635f74361edf5917abc1a4a7ac87e04ba6102ace6cf2b11f47d29146ad002f58b336768ce88a26b264c99dba2a

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
49KB

MD5
ac9cc726bcab8a57315e08ac13642eaa

SHA1
a81c3d45328440a601b1f053b557529f7a73c38f

SHA256
8d5934c9e76482aad10849d2514935a217192cce8fecf99eff69531a27f74ade

SHA512
23c1faead65b62559b1a6ff2139c3a1ebbb8f80123c2f87abc5eddce76203af89d7fb1dfb032d60d297cc2c4f95f92bd6e5f64309719350c8da18ff8c7905a15

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
49KB

MD5
eabc0896395a75b044fbc21b7ec9a398

SHA1
d63f361c251941e23a683f0b154a66f51ede1464

SHA256
312bfdc7660dc42997ecf65ae2fa0bff0d0d7fadab1019b3ca14ba46b41439a3

SHA512
3fa1af94cf0a89f3b08e23ba3c412da5b324dec6a8f839cd971a598468ae93c379f45943c4f523d410d5000fb9e15398d51b915bd826a6aa0bbef1d8f254a7db

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
49KB

MD5
819c763345dbc6c367d4ea45bba5a970

SHA1
879fdf3f451f3be5acc3df8092fda8faee1665db

SHA256
f9886118119b8cb8b68c6a2f899ede4ce47de432914b4d0d915b7788d9f23996

SHA512
717506c3db17f68d52d268d5470ab42704d87874749b6b10ea4e5923e90a8ccbf34b98ca1dad8be9316d7e78a2b3aa9b59f870d26676988f861aba8397b19b96

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
49KB

MD5
3b13a1d5aa44a9b35fee7cc6dd97e62e

SHA1
a006e9e94b541a52f2b8ded667717d1b1038f402

SHA256
db98c2a0379930b0ead3d2d9d073c876355746e0e70bfc2a0b512c6dffb059f1

SHA512
3eb6ed9ff7630493dd6882deda0acd4d0d54b04da2e78906ebea51111ad685e94673bfad220a4c101ef16c87797572516a3480a239a7b28cff89d1bae0ec2547

Download Submit
C:\Windows\SysWOW64\Cagobalc.exe

Filesize
49KB

MD5
2b80d186b1f19fb821cc8de40691dbf1

SHA1
9237c3a966076221c86fc5a9e4c8aa096b47a0a7

SHA256
86b0251e4039a6232c33efe13037edfb01e4eb080f19632432703771a25ce360

SHA512
144dd9017a64b1c44fab03a64e8db056d33fa7f1ab78b32932b363fd1b7314a854e9ec1c21aba948e4c83042bf9f7f2a6dd3bbe387fbfb2f123be729423a281d

Download Submit
C:\Windows\SysWOW64\Cdfkolkf.exe

Filesize
49KB

MD5
2415b1ffca2d25251e2bdf4d42030430

SHA1
6569dda7d9f95511cc6d2a7fe49c573848603bda

SHA256
abd62560af522e019db071f89dde72cb163937170aeab0a5cf3c448432729311

SHA512
0dd2757c45d8b68a62b90264f49df52a2e9b3fbecb7cdd6e0d47d27a7c1fe142fcf9d7ef8e14750141d9c8c6e98735ece20ae870f4f591611dad3b48cb8a60d2

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
49KB

MD5
0f0a77d24a36a4091e93ed39a0916ed6

SHA1
ad52a8fa04e63c9501f1c12e9e3ea16f57b3181d

SHA256
fce2bc7f9a99163b0d90925bff2625537b959299f4b863e4b32e30d738bdc010

SHA512
0cf781c7a59ba0957f756d8519422aaec61ddf7c69fa77d9aab0c099bd2d55f1b91f015823b346b774ed64a5b377f880c9f5f7b128bd07572e35a56ba9d5883c

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
49KB

MD5
eedb4224104a684bd046ace1b9b18ee3

SHA1
f5d899ba81f8870602ab885e14449aba9a6d55c7

SHA256
116fa6002063b4caba8d38e528d1eab02f207a307b87eb53c89d24dc6eb5828d

SHA512
d7f989f3fcc3131cd2c0acd145c79c8a6d1f8a0ee71b1c93611e6bf9b6dff3f2015c088d62c2578029f02e3c77247166169a7bb68976d49f22cd64d8ff76fe09

Download Submit
C:\Windows\SysWOW64\Cfbkeh32.exe

Filesize
49KB

MD5
0bcb6b9084b6335079251359dd5efe54

SHA1
eea94e6fc3d6022b0f4aeb04ce8a69462f1957e4

SHA256
72a163eee251b208007b4bc4f2032c7f14e4e879d548bd951de5e3c2234c51bf

SHA512
05c3d749a4d7431e669e1b142c56c36c654e409aba428c8d2d6f58b0ca03298edaf9f663499a91bde830cd1c973c8dc53eafa575a2b20b40c1a104941db0d439

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
49KB

MD5
3d5651033f475ea67a4cff2ad37027d2

SHA1
3347c4c879c18c63cb8405793a2b00fb676c36b2

SHA256
fc5d44a83ba0209a4acb051f2d4242a9e17acc305d9a8c4b283deb127e03399d

SHA512
adae55b2d6609a56a2da5ce0024395294f1e02165173026bc4ea020ad55472eaff1001b23c495aa155f4e6392185009a9f25b16b3c42a20ada77f83db0a2ef8c

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
49KB

MD5
7e83d8265b64d2fd93b35d1f4ec220d5

SHA1
0c27651108a0f6a0d8b8f534c56086aef25fcd03

SHA256
b2f48e2903d5351aacb2879e285067afed6b56af5905267cf4d170a2990fb490

SHA512
db16dac351df2649e8301c1daa1c0c497c00f05dbeedad222ac51cfb04351f36668b92f320dfe966201e0be40de0fe4ee208fc975d6fd01098f4dd4f28d57b3c

Download Submit
C:\Windows\SysWOW64\Chokikeb.exe

Filesize
49KB

MD5
89abc12a9a8a033aa50e7bedb7908994

SHA1
229181c6089399f081f56730e1f3e46090d7cd10

SHA256
63892ee07edd502b27a937bc09f86652cf5f7e9cd40095d05f6182db6ab53eb4

SHA512
f9084b4021c4df9f1f758e0998fa57717fc0d1930d3a9076b42e9bbf2e069ad2342bff3ac095c949e360b6c2b1f2bd30ded4fecb6640557eac2979203ba34312

Download Submit
C:\Windows\SysWOW64\Cmlcbbcj.exe

Filesize
49KB

MD5
dd10e7124accb80a4d9ffd4c9a9073d1

SHA1
8f09e00d14ad3e74516da1f2b6b9d98b955abef0

SHA256
f588189ce7460bab26f82a18a6a0d62f89e258ec0bb233fad2cc2581c8644db0

SHA512
67955820fb036bac89366b52bdadca63f2a720f5f9382994603eff9ea9796f4749d4fd27b5bae127626041eb10eb11696262489fd0983f54fa95c68a813732f4

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
49KB

MD5
c21cfa3ead7a4f6d6a66caea3a5922b6

SHA1
7a30164140b129f11850d5bf9948d09467101c33

SHA256
15a541902bdba5e6bfe666a893f31c482294b0ad83d77966179693eda34fe4f4

SHA512
eef691724c3547bda277d99cc6fff4b1e11bef82936fa13ff1bb6013712531000325bdf18aad7caf51116a3a1e2356a64c767812efdfe4243023f2cf83b784b5

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
49KB

MD5
3ab4b5f370f92cc3ffdc150fd41f2eec

SHA1
b8376a668200238d85e471a2c64eed65a3241395

SHA256
57fe9daf300cccb56f572e0783b16296580fe167330c09498940aef4a4c8f906

SHA512
316e8c2fb94e169caeac157287fe99ac0b67addd9a4064603908f3fb280579a5589dea88bb583b8327ba55dceeff18404c1be871990086b7ccd4ba37df622ced

Download Submit
C:\Windows\SysWOW64\Dddhpjof.exe

Filesize
49KB

MD5
c20fd27a4d79490687ea78ae555d135e

SHA1
fc81452f6ca03fc0d853198b35cb68163e629c8f

SHA256
d746b7163fafad943098bf912ef55f563ddb289f6856face0ac0ce479a4b8532

SHA512
5fd97288771bb7738fe039087254e1ddef55d8c909988bfeec8340abe60bb28de65a47915af2099e055a21de75279f923c9ed199d3463ce6fc747f233d568afb

Download Submit
memory/364-493-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/364-168-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/396-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/432-144-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/460-64-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/536-448-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/536-329-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/548-446-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/548-335-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/692-483-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/692-208-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/828-48-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/864-487-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/864-193-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/944-201-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/944-485-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1200-353-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1200-440-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1220-458-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1220-299-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1328-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1328-1-0x000000000042F000-0x0000000000430000-memory.dmp

Filesize
4KB

Download
memory/1504-263-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1504-470-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1516-112-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1532-395-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1532-428-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1756-160-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1828-249-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1828-474-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2016-88-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2052-120-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-437-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2196-365-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2216-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-245-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2468-341-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2468-444-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2516-105-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2564-464-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2564-281-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2700-430-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2700-389-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-442-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2748-347-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2808-364-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2832-80-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2948-40-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3060-427-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3060-401-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3068-317-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3068-452-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3136-184-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3136-489-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3216-153-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3256-323-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3256-450-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3340-432-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3340-383-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3440-16-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3452-257-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3452-472-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3480-466-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3480-278-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3652-375-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3652-435-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3808-56-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3808-520-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3828-477-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3828-232-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3988-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4072-129-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-468-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4080-269-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4376-481-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4376-217-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4400-96-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4476-311-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4476-454-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4504-491-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4504-176-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4584-136-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-287-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4764-462-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4828-419-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4828-420-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4876-479-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4876-225-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4880-424-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4880-407-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4912-422-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4912-413-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5016-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5020-460-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5020-293-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5044-456-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5044-305-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-434-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5088-377-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads