6cd689367e1fc43bd820ade12e9153ed26ad293c67e759574c91f90c578ff931

Analysis

max time kernel
94s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 10:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bc27329f93d7543613c1cc1045403f0N.exe
Size

256KB
MD5

1bc27329f93d7543613c1cc1045403f0
SHA1

c3568ec6cb23000cfb9cdc3e294241e8a058de03
SHA256

6cd689367e1fc43bd820ade12e9153ed26ad293c67e759574c91f90c578ff931
SHA512

c6bbdf4b9c7b656aef44aba29a23152e0cb18dd02b94f53a73a117ecb19145fae855cb355c4df7ebc8ec2726b19bd1141c6fe70c5343b022e515fff778c36e56
SSDEEP

6144:TcC+UEstRLti4rQD85k/hQO+zrWnAdqjeOpKfduBU:FEsfLdrQg5W/+zrWAI5KFuU

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dopigd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aglemn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnhjohkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnicfe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Deagdn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Doilmc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bcebhoii.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cndikf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ceqnmpfo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	1bc27329f93d7543613c1cc1045403f0N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddjejl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe

Executes dropped EXE 64 IoCs

pid	Process
60	Aglemn32.exe
3164	Aminee32.exe
1896	Bjmnoi32.exe
4020	Bnhjohkb.exe
5068	Bcebhoii.exe
4472	Bnkgeg32.exe
924	Baicac32.exe
2612	Bchomn32.exe
2052	Bjagjhnc.exe
4448	Balpgb32.exe
1768	Bgehcmmm.exe
4504	Bjddphlq.exe
536	Bnpppgdj.exe
1172	Banllbdn.exe
3900	Bclhhnca.exe
2672	Bfkedibe.exe
1480	Bnbmefbg.exe
1356	Bapiabak.exe
4268	Bcoenmao.exe
716	Chjaol32.exe
5084	Cjinkg32.exe
3104	Cndikf32.exe
2380	Cmgjgcgo.exe
1004	Cabfga32.exe
4900	Cenahpha.exe
4116	Cdabcm32.exe
4404	Chmndlge.exe
4872	Cjkjpgfi.exe
1884	Cnffqf32.exe
1128	Cmiflbel.exe
2084	Caebma32.exe
1068	Ceqnmpfo.exe
2808	Cdcoim32.exe
3504	Cfbkeh32.exe
1216	Cnicfe32.exe
4292	Cmlcbbcj.exe
3560	Cagobalc.exe
3780	Ceckcp32.exe
3400	Chagok32.exe
4340	Cfdhkhjj.exe
1940	Cjpckf32.exe
4516	Cnkplejl.exe
2176	Cmnpgb32.exe
524	Cajlhqjp.exe
1344	Cdhhdlid.exe
4156	Cffdpghg.exe
4040	Cjbpaf32.exe
4376	Cnnlaehj.exe
3256	Cmqmma32.exe
2116	Cegdnopg.exe
3660	Ddjejl32.exe
3024	Dhfajjoj.exe
2032	Djdmffnn.exe
3968	Dopigd32.exe
2096	Dmcibama.exe
864	Dejacond.exe
3388	Ddmaok32.exe
2440	Dhhnpjmh.exe
2908	Djgjlelk.exe
732	Dobfld32.exe
3204	Dmefhako.exe
1272	Delnin32.exe
592	Ddonekbl.exe
4788	Dhkjej32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Dobfld32.exe
File opened for modification	C:\Windows\SysWOW64\Cndikf32.exe	Cjinkg32.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cdabcm32.exe
File opened for modification	C:\Windows\SysWOW64\Cjbpaf32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dhfajjoj.exe	Ddjejl32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Bcoenmao.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Jcbdhp32.dll	Dfpgffpm.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Aglemn32.exe
File opened for modification	C:\Windows\SysWOW64\Cdabcm32.exe	Cenahpha.exe
File created	C:\Windows\SysWOW64\Pjngmo32.dll	Cjpckf32.exe
File opened for modification	C:\Windows\SysWOW64\Dejacond.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dmjocp32.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File opened for modification	C:\Windows\SysWOW64\Bjagjhnc.exe	Bchomn32.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ddjejl32.exe	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dmgbnq32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cnicfe32.exe
File created	C:\Windows\SysWOW64\Kmfjodai.dll	Dopigd32.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Dhkjej32.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Deagdn32.exe
File created	C:\Windows\SysWOW64\Ogfilp32.dll	Chjaol32.exe
File created	C:\Windows\SysWOW64\Lfjhbihm.dll	Cjkjpgfi.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Cdhhdlid.exe
File created	C:\Windows\SysWOW64\Deagdn32.exe	Dmjocp32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Chagok32.exe
File opened for modification	C:\Windows\SysWOW64\Ceckcp32.exe	Cagobalc.exe
File created	C:\Windows\SysWOW64\Cjpckf32.exe	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Chagok32.exe	Ceckcp32.exe
File created	C:\Windows\SysWOW64\Hfanhp32.dll	Cegdnopg.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Dddhpjof.exe
File created	C:\Windows\SysWOW64\Ingfla32.dll	Cjbpaf32.exe
File created	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Dfpgffpm.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Dddhpjof.exe
File opened for modification	C:\Windows\SysWOW64\Aglemn32.exe	1bc27329f93d7543613c1cc1045403f0N.exe
File created	C:\Windows\SysWOW64\Bcoenmao.exe	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Cdhhdlid.exe	Cajlhqjp.exe
File opened for modification	C:\Windows\SysWOW64\Doilmc32.exe	Dgbdlf32.exe
File created	C:\Windows\SysWOW64\Pmgmnjcj.dll	Bcebhoii.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Echdno32.dll	Cmlcbbcj.exe
File opened for modification	C:\Windows\SysWOW64\Delnin32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Dmgbnq32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Dkkcge32.exe	Dfpgffpm.exe
File opened for modification	C:\Windows\SysWOW64\Dgbdlf32.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Ghekjiam.dll	Cdcoim32.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Dejacond.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Doilmc32.exe
File opened for modification	C:\Windows\SysWOW64\Bjddphlq.exe	Bgehcmmm.exe
File created	C:\Windows\SysWOW64\Cacamdcd.dll	Cfdhkhjj.exe
File created	C:\Windows\SysWOW64\Daconoae.exe	Dmgbnq32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Omocan32.dll	Chmndlge.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Cnicfe32.exe	Cfbkeh32.exe
File created	C:\Windows\SysWOW64\Cagobalc.exe	Cmlcbbcj.exe

Program crash 1 IoCs

pid	pid_target	Process
5484	5396	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dkkcge32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmgbnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfnjafap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doilmc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bc27329f93d7543613c1cc1045403f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceqnmpfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhhdlid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjbpaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bchomn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chagok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deagdn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcebhoii.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgilhm32.dll"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmgbnq32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnicfe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbffb32.dll"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjbpaf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beeppfin.dll"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdaoioe.dll"	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjinkg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cndikf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjccj32.dll"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kngpec32.dll"	Doilmc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdabcm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djgjlelk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omocan32.dll"	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbpbca32.dll"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cjkjpgfi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Deagdn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elkadb32.dll"	Dddhpjof.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnjaqjfh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dopigd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoglcqao.dll"	Cdabcm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiakn32.dll"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndkqipob.dll"	Cmgjgcgo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cacamdcd.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Doilmc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogfilp32.dll"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdcoim32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okgoadbf.dll"	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjald32.dll"	Dejacond.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddmaok32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dfnjafap.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidnp32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Chagok32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cnkplejl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ddakjkqi.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 60	2540	1bc27329f93d7543613c1cc1045403f0N.exe	83
PID 2540 wrote to memory of 60	2540	1bc27329f93d7543613c1cc1045403f0N.exe	83
PID 2540 wrote to memory of 60	2540	1bc27329f93d7543613c1cc1045403f0N.exe	83
PID 60 wrote to memory of 3164	60	Aglemn32.exe	85
PID 60 wrote to memory of 3164	60	Aglemn32.exe	85
PID 60 wrote to memory of 3164	60	Aglemn32.exe	85
PID 3164 wrote to memory of 1896	3164	Aminee32.exe	86
PID 3164 wrote to memory of 1896	3164	Aminee32.exe	86
PID 3164 wrote to memory of 1896	3164	Aminee32.exe	86
PID 1896 wrote to memory of 4020	1896	Bjmnoi32.exe	87
PID 1896 wrote to memory of 4020	1896	Bjmnoi32.exe	87
PID 1896 wrote to memory of 4020	1896	Bjmnoi32.exe	87
PID 4020 wrote to memory of 5068	4020	Bnhjohkb.exe	89
PID 4020 wrote to memory of 5068	4020	Bnhjohkb.exe	89
PID 4020 wrote to memory of 5068	4020	Bnhjohkb.exe	89
PID 5068 wrote to memory of 4472	5068	Bcebhoii.exe	90
PID 5068 wrote to memory of 4472	5068	Bcebhoii.exe	90
PID 5068 wrote to memory of 4472	5068	Bcebhoii.exe	90
PID 4472 wrote to memory of 924	4472	Bnkgeg32.exe	91
PID 4472 wrote to memory of 924	4472	Bnkgeg32.exe	91
PID 4472 wrote to memory of 924	4472	Bnkgeg32.exe	91
PID 924 wrote to memory of 2612	924	Baicac32.exe	92
PID 924 wrote to memory of 2612	924	Baicac32.exe	92
PID 924 wrote to memory of 2612	924	Baicac32.exe	92
PID 2612 wrote to memory of 2052	2612	Bchomn32.exe	95
PID 2612 wrote to memory of 2052	2612	Bchomn32.exe	95
PID 2612 wrote to memory of 2052	2612	Bchomn32.exe	95
PID 2052 wrote to memory of 4448	2052	Bjagjhnc.exe	96
PID 2052 wrote to memory of 4448	2052	Bjagjhnc.exe	96
PID 2052 wrote to memory of 4448	2052	Bjagjhnc.exe	96
PID 4448 wrote to memory of 1768	4448	Balpgb32.exe	97
PID 4448 wrote to memory of 1768	4448	Balpgb32.exe	97
PID 4448 wrote to memory of 1768	4448	Balpgb32.exe	97
PID 1768 wrote to memory of 4504	1768	Bgehcmmm.exe	98
PID 1768 wrote to memory of 4504	1768	Bgehcmmm.exe	98
PID 1768 wrote to memory of 4504	1768	Bgehcmmm.exe	98
PID 4504 wrote to memory of 536	4504	Bjddphlq.exe	99
PID 4504 wrote to memory of 536	4504	Bjddphlq.exe	99
PID 4504 wrote to memory of 536	4504	Bjddphlq.exe	99
PID 536 wrote to memory of 1172	536	Bnpppgdj.exe	100
PID 536 wrote to memory of 1172	536	Bnpppgdj.exe	100
PID 536 wrote to memory of 1172	536	Bnpppgdj.exe	100
PID 1172 wrote to memory of 3900	1172	Banllbdn.exe	101
PID 1172 wrote to memory of 3900	1172	Banllbdn.exe	101
PID 1172 wrote to memory of 3900	1172	Banllbdn.exe	101
PID 3900 wrote to memory of 2672	3900	Bclhhnca.exe	102
PID 3900 wrote to memory of 2672	3900	Bclhhnca.exe	102
PID 3900 wrote to memory of 2672	3900	Bclhhnca.exe	102
PID 2672 wrote to memory of 1480	2672	Bfkedibe.exe	103
PID 2672 wrote to memory of 1480	2672	Bfkedibe.exe	103
PID 2672 wrote to memory of 1480	2672	Bfkedibe.exe	103
PID 1480 wrote to memory of 1356	1480	Bnbmefbg.exe	104
PID 1480 wrote to memory of 1356	1480	Bnbmefbg.exe	104
PID 1480 wrote to memory of 1356	1480	Bnbmefbg.exe	104
PID 1356 wrote to memory of 4268	1356	Bapiabak.exe	105
PID 1356 wrote to memory of 4268	1356	Bapiabak.exe	105
PID 1356 wrote to memory of 4268	1356	Bapiabak.exe	105
PID 4268 wrote to memory of 716	4268	Bcoenmao.exe	106
PID 4268 wrote to memory of 716	4268	Bcoenmao.exe	106
PID 4268 wrote to memory of 716	4268	Bcoenmao.exe	106
PID 716 wrote to memory of 5084	716	Chjaol32.exe	107
PID 716 wrote to memory of 5084	716	Chjaol32.exe	107
PID 716 wrote to memory of 5084	716	Chjaol32.exe	107
PID 5084 wrote to memory of 3104	5084	Cjinkg32.exe	108

C:\Users\Admin\AppData\Local\Temp\1bc27329f93d7543613c1cc1045403f0N.exe
"C:\Users\Admin\AppData\Local\Temp\1bc27329f93d7543613c1cc1045403f0N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\Aglemn32.exe
  C:\Windows\system32\Aglemn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:60
- - C:\Windows\SysWOW64\Aminee32.exe
    C:\Windows\system32\Aminee32.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\SysWOW64\Bjmnoi32.exe
      C:\Windows\system32\Bjmnoi32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4020
      - C:\Windows\SysWOW64\Bcebhoii.exe
        
        C:\Windows\system32\Bcebhoii.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4472
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:924
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3900
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1356
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3104
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2380
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\SysWOW64\Cdabcm32.exe
        
        C:\Windows\system32\Cdabcm32.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4872
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        32⤵
        Executes dropped EXE
        
        PID:2084
        
        C:\Windows\SysWOW64\Ceqnmpfo.exe
        
        C:\Windows\system32\Ceqnmpfo.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2808
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4292
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3560
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\Chagok32.exe
        
        C:\Windows\system32\Chagok32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4340
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4516
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:524
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Cjbpaf32.exe
        
        C:\Windows\system32\Cjbpaf32.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4040
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        50⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\SysWOW64\Ddjejl32.exe
        
        C:\Windows\system32\Ddjejl32.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3660
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2096
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2440
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:2908
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:732
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        63⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1272
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:592
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        67⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2280
        
        C:\Windows\SysWOW64\Dmgbnq32.exe
        
        C:\Windows\system32\Dmgbnq32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4108
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4512
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        
        PID:3120
        
        C:\Windows\SysWOW64\Dfpgffpm.exe
        
        C:\Windows\system32\Dfpgffpm.exe
        72⤵
        Drops file in System32 directory
        
        PID:1288
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4892
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        74⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        75⤵
        Drops file in System32 directory
        
        PID:5156
        
        C:\Windows\SysWOW64\Deagdn32.exe
        
        C:\Windows\system32\Deagdn32.exe
        76⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5196
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5236
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5284
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        79⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5316
        
        C:\Windows\SysWOW64\Doilmc32.exe
        
        C:\Windows\system32\Doilmc32.exe
        80⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5356
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:5396
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5396 -s 408
        82⤵
        Program crash
        
        PID:5484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5396 -ip 5396
1⤵
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aglemn32.exe

Filesize
256KB

MD5
508a549ecd97e9558f419179458b040f

SHA1
23f41a0589dae800a4a9d9f8cfcb7225229e4d89

SHA256
7ebe9084c7f000cc38f4826e9090622af04b8c82ea356b635bffc53abbaec35e

SHA512
22a87ac375480ad1407881f7845153ab0c13f40facc248fdd6c875d0e34269b05a7960fc5631c88e59d17e3c6135046b4498354fe836491701a0c16f19e9b67a

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
256KB

MD5
d8b7a1d2e14a1d5003a2dba2cfe32476

SHA1
e31a91f90caa7609780f076b2a914e41aa71cf12

SHA256
70cc76a31c4321de6b17529f988a544cfe6543267c4682d001c547d80c13ccff

SHA512
17e1000f3a49e6217151fe3aa9077c72d2db54f4255e89b8a81ec964dbc7f4534974fb65f7c15ad97f9327897b794cc92f7b5ab67f35a1585083f1985fe4d854

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
256KB

MD5
d82a65b7a6fee310329c37cb4c67337e

SHA1
30bfe33c7b81e9eea409ecadc5bbd8f205d3e3be

SHA256
669d09c39c42b8f654027d0000fb7b876e4acee190de238e02af02fed1832d43

SHA512
281006e20f284f154435e990773791add3c8e2a5d584eefa054ba3d7330895e67afd138fc219dd4abde42c07397cba7932c503b371a953d3022e11571d286428

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
256KB

MD5
083e94e2c451e205b155eb935666be72

SHA1
b49356923591601e1c39fa64c3ef7fdd07835e87

SHA256
ffebfd3afca5a227848fe6af102bd87c33efe9cd220482c72c9ef967cea833fe

SHA512
7a0291c7ead4b2989ba3f191ab0ec523f82be32079f22c97b04063c32a1af8c4116fc999f28a6e6fe236454979d7997d9c4e0d487d596696b9a801a19ce60b85

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
256KB

MD5
d965e5074e8015e2b69e90f0ccd6dd0f

SHA1
8699ce8084a18f73a60c95a88f02ade36944859f

SHA256
8fef5e496dbd1127fc1fc3020992efe0b19577261f26e1ae8c33d7df0be8d289

SHA512
e1ee636b86357f32587e537987656a05b834086e845b9bfe23c87738682813a87b4b91fffefa62e6a25fdac186ee935d6793bf160dc249ed0b7869858e1928ec

Download Submit
C:\Windows\SysWOW64\Bapiabak.exe

Filesize
256KB

MD5
9cd91c2fd394915f62253e80b57d6b3d

SHA1
644cd74b099e62b7ec895c045b6fee9dc2d8278e

SHA256
501ee7015271cebda947d1d295ac9d536fe0fc3edf8c0c550906083561a2b25a

SHA512
fb5a8313b41eed58101014dfa3e229808c89e750607dee6b5196ea1b1b921f65fa5fca8a5bf7bad2d13bc895c6079382544f27a2ad6df7d452b56346f6d6f901

Download Submit
C:\Windows\SysWOW64\Bcebhoii.exe

Filesize
256KB

MD5
0c8fd70d7825daad75c49969c0e95d7a

SHA1
063cba9aee6f7fc70e0bb40cfde358559e775b8c

SHA256
6803cef314fe3dcd0a7fea491f5911a3404784526fe3fae0ba98d454bb6170cd

SHA512
b1072c3a857ce6be2cb8c3126641c40d0d42d4e00d0376d8029e8168fc54dcb77eb271afff013ecb78bef284734571e7c25cf690f6530a55f7ceea03897d2b23

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
256KB

MD5
df381e403215073c232e6d52c4831b89

SHA1
b91af5c91389e3e5b13e87b8052aa4f3e9c6f7b8

SHA256
2aaa63bb436fde60dd654b2fb633019a4a6fddf01e4656037b8ee1fbfe93bd11

SHA512
cca2c39e251371958bac43fdb9e6ace540d21124b57660e76c6ff95aff31cea5315e5167f24e2176900bcb491f043fc0afa61bb82e852329f211a3a06c50d934

Download Submit
C:\Windows\SysWOW64\Bclhhnca.exe

Filesize
256KB

MD5
2f2c61e8ae2256a4980725042d128cf3

SHA1
a64dc40e8a73fe1dd4a4b688841d7cc4122d3fca

SHA256
8db58156d8f0f795aad45c4b4aba795ba91252e41ccea99f3c94614cb551a5c4

SHA512
94670cabe9efa599034809d7941e6834cacb0646deafc048dbd73daff8bdd3a38ac5d3e4207bd2fb5585dde278bf8f5e1761bf50c253eafc947ac45bca55309d

Download Submit
C:\Windows\SysWOW64\Bcoenmao.exe

Filesize
256KB

MD5
6ad256b991c0268dc39543851e80c71f

SHA1
eb92256bc9d46fdf06dc794e9b5828668b549f26

SHA256
0d8a9673826448f42e90aec9a7a180f84c29957c556a465ce62c90dca5277bb0

SHA512
4a001d34559f3d11931364139c0ef13296422061ac83d656be038c087f7a57bf98e2087a53b2aa8b154787c62ef3b4bc3c5cd39bfa57117d251a426ff4b58328

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
256KB

MD5
99dae64ceb2dc3476184c2c0db44cc98

SHA1
0eef7a877b96846056bc40a661695ed733ba0272

SHA256
c7bb654d9e161c30a23ee855c77615b81ac1624c4c1acefbdee0b7a6f97d063c

SHA512
b652e6332519b080c249db9f9d08f4af8e98513d82ec221dbea3bd1d5cb98921f49f268c9ce3d091bd2a8c29482051a58cb0f58de02547c821c8bba2d9a261bc

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
256KB

MD5
158cb8b1a3a9061e6451dd7cf68bd859

SHA1
003fc2351f3f6459c859c9714ef639c96ec7c755

SHA256
b8af2f45692825cf6ae5535d66f9a7ab2b99fed17ec09e8c5c4f695474186eae

SHA512
524cd54547af49503d1342348141bc892baca3e43b5ef0c7da7c41fad9a4469abe7bdd375e56f4bae7ed61371bd70757af5590acfd52109b708bf77ad6fb95c1

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
256KB

MD5
2610362fe42fb3e351292b9197f80225

SHA1
1e4aaa2db796f3ae4018f3fafd26c8c03db5a274

SHA256
9171efe775861719e74a46ff635fa986fa34a91046da0b410a554f32d898f854

SHA512
939c3527aee4c83eccbeffc135cd4b0a548d175c4799432c8028e6d33ea5d746b1f5c2c036f194917b8e7cd491a4fb55d868a6ccd979dd057bc1f0d1047060cc

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
256KB

MD5
5c9a9614c973c4094f2f643a36f7c05f

SHA1
cf50e966fd301f5d3c399c823f0eff3dc81cb8e9

SHA256
7a50c1c434527575957e34dcf7eebb935e2f8ddfdefb665ac015ecce7e697721

SHA512
55514e5836ff3a25d3cf81bea87d900646727147f001495b3a6bc9e7a11d0441e5daeac2ab442645b23c2172c67d5e094071b427b28bdd4447b9d2731e97292e

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
256KB

MD5
0788110af330b675ca553699617bbd2d

SHA1
91eaf9789334b19d3f0a0076fb5126bc0b21adaa

SHA256
1d8b541f3695dc442da53add4c89884dbf63816dd2eb98fae614a57a247bd8e1

SHA512
4376ecdcbc41f9c10032f2bdd1b6c73ff31928b4dac30450a17fcb777606b8b38e953897b01c545be3744b0310a46058c5bb3d89c047f03497682cc9179f66ab

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
256KB

MD5
0cb0e769f5febf73108318c4e73624f2

SHA1
da951a58fde1492c80cc825629066833439ce8de

SHA256
4caca282c67ddf34e5b41767fd92eff95ab2d1be5001a100cd8cb4ce43467db2

SHA512
4598e71ae66f12c0eb03323dac29cd157bd5fd5a2fb4a999f01e7e47fad6f84a0663661a29fe451f7d815bc014eae918111188d8a33b0785f30eaf8f784b96d2

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
256KB

MD5
8c1da080bc1b53900115aca7e7b9dd5a

SHA1
07bb7d2ed0594e89cecea4ea578fd6f776681497

SHA256
db7563d92f59997c21fcb5ecff1e9cd465c2e1bbce1161a1e4c2b64be760e9b2

SHA512
390101e207ada823546d2c8cc62501201bea9d17f385ec81397897b50d4ef1209403194f845e58deb5b2ccad55422cd02a3762b089b3835540ea3e498cddcf08

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
256KB

MD5
54f1661417306e83dc962b749b187b5f

SHA1
82e9a67da0e52bed195464c63e6d8fa5b11b9881

SHA256
52d572117c27f5f51a6b079aaafd0206b5817cb15ee6c8a840612dddd06f237a

SHA512
527a29665546f21afd684689deaa24f43955ba75c0f4691611b35395b4d593b484a496cb12fcd2e490d7b9e409cf7d9d7299196354ad947b611726e1ece1c5e7

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
256KB

MD5
d2d4699c60d34a8edd2adc1fc7fb7f7d

SHA1
43fe5293f62db57e742d287f3885ecb705d522f0

SHA256
8396b3fe8e227a5b68f918395239875c1508e869643a95d5c2606c060e2f7f02

SHA512
01f5b50bf4194f01343bd88476a7538c753be3cc384c06bb0fff65dcd8bba3d8c5713efdd986ba745b1448844f45b88e2cd320674d002966e0048b373f13a8a9

Download Submit
C:\Windows\SysWOW64\Cabfga32.exe

Filesize
256KB

MD5
964d33410c334bf45bf32def34176f67

SHA1
58a73b4429390a9f0093e1257513a7ef7119da97

SHA256
e1b78306f262d44b3095e990203fe5382f5b90b93a3266800b3ba138860a670d

SHA512
f4947b04df2e64065d7618a13c2a49e3a29788518487b2ffa01074751d2aa67cc60f7539f06e46fee0dd11c18a8d76bd9291e2088032644f4fb8f57cd2b51278

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
256KB

MD5
568ef15bdb66c0a3c385993d5c008773

SHA1
320d9722b1f53b3d255e3df86b8dc47c79479180

SHA256
4394d4067f68e482536b5d27da21ae30553a574fb1ab5a6fb93fbfc94c29cc0c

SHA512
62be583cdefc37138d0c9ef1ccb23848d2bd6adaac66631ba024fae9b8c83c88011a4b5e5318f8031b918b59fb490219db60bbf20ec87521cdd70e93f5a09201

Download Submit
C:\Windows\SysWOW64\Cdabcm32.exe

Filesize
256KB

MD5
697c3734dc65e4f2ee8b7b5215926793

SHA1
dd843c91431f9b5771fdf26bf8433e6a25f7e8b7

SHA256
f99825e70076b0290ebc4614b2c846183c16b1ccfac29f6cc8a2a718fa1643e5

SHA512
67394ed447d09a75a24063f2b8a6fa037c1b850eb8dddbf1aa09993c95db63edbcd6ac732e35f6a8a08d5a33464b87fa50971be8d0264e11ceec60636ecee227

Download Submit
C:\Windows\SysWOW64\Cenahpha.exe

Filesize
256KB

MD5
4b159a03a1084e0e9b48ad8b5b9dfe1c

SHA1
ea1661297a7ca4867fefcba37d1f5fa59450d1bf

SHA256
58c8ebca7b281547cb9661ff2ae673eb87b2aee041cb578597bd52f3839e1b9f

SHA512
1d4735ffcd0fee098c69b9f61c2a66abc8815139d99d974405312753a039894609d8e1b4140cdd2e39481c2cba8b9ba7212016a4ed8596c288dcc6915a6887b0

Download Submit
C:\Windows\SysWOW64\Ceqnmpfo.exe

Filesize
256KB

MD5
0bf7c12db0b18bf90ce36af4b135f2ce

SHA1
b66892ef386c8b0d1f0498d5616b88112a6eba04

SHA256
7bc402f06c725dfd4f314d6a0628792a2f896c43972dfaec716396defc878429

SHA512
74a150e4a25763b7d00229f76f1fb9bb69cbb29f7e5f9c2235ec4025fa6751e617c118298cb39c3de7bfac2fc92a9e582a8374ee3459dbc1b2db6fd0766d3fbc

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
256KB

MD5
086094047e9926cf8d41c9b262b1ca11

SHA1
7a31a903475d3a1609823feb4287bd3495c22bb7

SHA256
daf916359cda29d1f53598a3d1615b0b7687ccec7a812bc4f4b5494673440be7

SHA512
73c685427ee63c87e0d5af2312916f892e1a22a1a7cd53a2e2d27512ac2489c31ad16e6d86fb61aeeb685ca2856aa696f73950b8c72b25155bbbd94c6bbafba6

Download Submit
C:\Windows\SysWOW64\Chmndlge.exe

Filesize
256KB

MD5
ae41931f7e35f76a979a6e11b2f997f5

SHA1
a35dcc5b4af5ec4ac3e36e879c4ff6d62958a640

SHA256
08f4a278fe38cae1036618a676c0063836af8bd7ac6409018c0033419feed727

SHA512
034d08592b0a3f18a45c3a8e47666abd0967f0eb33a37c273eb2fcf92d1fe5d9a9356f0bf62ef0cb895d7c935df61a1b67ddeb26d4375902d6f742b4105fbf9e

Download Submit
C:\Windows\SysWOW64\Cjinkg32.exe

Filesize
256KB

MD5
6772ad3b9c350f2a6b42b49529ea16fe

SHA1
adc73d327c92eff69e51e043074e22b85043e1ef

SHA256
9759bda22e6ee9d5a851af8eeb61ecbbc8c2966868fcafdf52856f7dced98993

SHA512
51dc7334f2066d85bc4d9525491580f18a1afaf348cbceaf29ca98b29c3cce5f3ad5b71a5284d039483d9f4221e423e95193a4d64c0a516b3c62da899ac5f6db

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
256KB

MD5
6727c98c24a8894e7eec831966e8aaca

SHA1
2f0ca86af3842936be93c1a36118162e15058568

SHA256
a3545109b43a4a40956cf8d18706efdc01df44e66e97a00e3af7c41ec4a5ce58

SHA512
218d55958c2f3eeda52389b686888b9be9d777557b59e1b56f38c7b1507ec0989ea0f20ce554e41871fcc964a84b0c6e3bb419c7964542ebfad46d9fc824c2f2

Download Submit
C:\Windows\SysWOW64\Cmgjgcgo.exe

Filesize
256KB

MD5
a94597e5ded6c1ee3540457fdde317db

SHA1
ac7c06215414b8644dcb87437724c022d897510c

SHA256
cd910633fca8d3f1553694712ccc43990382fcd666e7cb8cff6011888eeb3a7f

SHA512
a9e18942297f8064965d450f3e2c4c3274591a4885ae996aea8fecd6e823e95fb0eb8d388ce16be057c1f3df15ac3b43e32cad8c1c93604910f1919d564afdb9

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
256KB

MD5
53803bfce6f36e661eb449f75015ec14

SHA1
b8f6c953193df710aa49bf1e0fed6447fffffe8f

SHA256
32b491942f64bd13be067013ac0404672cea6707919b0496a545a9f223283f92

SHA512
406639e10230eb74f7db75979ca3006c1e4f7e5128a9c251e99a8ce676d32307125534948c9842b5fd5c26493e5b12eb2551e664ab4819fa609e54854c62291c

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
256KB

MD5
50c70259fe0dc03058dede54e9cf0e0b

SHA1
0fedf22da49c8ce1ace985cbb362a54ee13e8c99

SHA256
68a905af686d92f27ef1172b43fd57d583374d8473a10d19d546c353ed6c58b3

SHA512
823012ce8825546afbdd5eac9efe3424c06f80c7be8ff51e8b836ae07f7428166b6368ff15ac61513ce63585d36252af8e38f60bafbac277a0eb08417586aafc

Download Submit
C:\Windows\SysWOW64\Cnffqf32.exe

Filesize
256KB

MD5
468ab711e3250ec9bcaf9eb8db3135fa

SHA1
35419b87c36df83382f1d022b67b7aba730319ed

SHA256
5e062bc80b4e9d73607212db48619595234d359f8f7a160e1d74828b526b38a9

SHA512
b5b6065d39dd94d7aca9dcc4263a25741ed7e797fbd543b273ca343c7e9b4579a598d2e416d2a7552ef436239ad42c1b160357745bf465abd3073f5708eb9b91

Download Submit
C:\Windows\SysWOW64\Eeiakn32.dll

Filesize
7KB

MD5
b3499f9fd43ddd685acea123f3487d09

SHA1
82bc85af405a2201e2cb4c6bcf360cab3ab7b828

SHA256
c60eadc6a67cfc5785b3a8f978000fcf77d6f71354c1c6f0680e589859360276

SHA512
410257ebe37b1636aa9458d47c81c1b0bc441512e7375a71350fece193b7ca7a0cbc686c2156fc11ff0acf46c1fcbf400c6e82d92a2f96b8e513ae63e492101c

Download Submit
memory/60-7-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/60-89-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/524-346-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/536-112-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/592-460-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/716-175-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/732-442-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/864-418-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/924-147-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/924-56-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1004-209-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1068-275-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1128-259-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1164-490-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1172-208-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1172-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1216-292-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1272-455-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1288-509-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1344-353-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1356-157-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1480-149-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1768-183-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1768-90-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1884-251-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1896-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1896-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1940-328-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2032-401-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2052-166-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2052-71-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2084-266-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2096-412-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2116-382-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2176-340-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2280-478-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2380-200-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2440-431-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2540-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2540-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2612-156-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2612-63-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2672-139-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2808-281-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2908-436-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3024-395-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3104-192-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3120-503-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3164-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3164-102-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3204-449-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3256-376-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3388-425-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3400-316-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3504-286-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3560-304-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3660-388-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3780-310-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3900-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3900-218-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3968-406-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4020-32-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4020-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4040-364-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4108-485-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4116-226-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4156-358-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4268-167-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4292-298-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4340-322-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4376-371-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4404-234-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4448-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4448-174-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4472-47-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4472-138-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4504-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4512-497-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4516-335-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4788-467-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4872-242-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4892-515-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4900-219-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5012-521-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5076-473-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5084-185-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5156-527-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5196-533-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5236-538-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5284-545-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5316-551-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5356-557-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5396-558-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads