d1940dc3f0683f4b8d263b3e522b78afeddebfd74a0bd7af8cee4f51d71aaae6

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad96c66b78ba504302fa793e832b2400N.exe
Size

144KB
MD5

ad96c66b78ba504302fa793e832b2400
SHA1

3a99c319cf2613783265c469a9a24de1e73a8faf
SHA256

d1940dc3f0683f4b8d263b3e522b78afeddebfd74a0bd7af8cee4f51d71aaae6
SHA512

d68cbbb348bd20e202875a65273ece13be0b03863c47625a8da53a2a714b5d65ae77dd2628e7fb9ebc40c87c5c71aab0f39e219d3d963dfdcf2bf0dbfba13beb
SSDEEP

3072:2EYDrLyoQ2w71yVeBnihLnLkWxczdH13+EE+RaZ6r+GDZnBcV8:2EYLmAVikLLDczd5IF6rfBBcV8

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aminee32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qfcfml32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjinkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Deokon32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	ad96c66b78ba504302fa793e832b2400N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qmkadgpo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acqimo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baicac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	ad96c66b78ba504302fa793e832b2400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bebblb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfabnjjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cagobalc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ambgef32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Afmhck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Djdmffnn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qnjnnj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjfaeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmemac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhhnpjmh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhkjej32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Qqijje32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dogogcpo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdpmpdbd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgjgcgo.exe

Executes dropped EXE 64 IoCs

pid	Process
4560	Pdpmpdbd.exe
1920	Pfaigm32.exe
5076	Qmkadgpo.exe
1320	Qdbiedpa.exe
4988	Qceiaa32.exe
5052	Qfcfml32.exe
976	Qnjnnj32.exe
2920	Qqijje32.exe
4080	Ajanck32.exe
3980	Ampkof32.exe
2008	Ageolo32.exe
740	Ambgef32.exe
692	Aqncedbp.exe
1696	Agglboim.exe
224	Anadoi32.exe
2388	Acnlgp32.exe
5048	Afmhck32.exe
4336	Amgapeea.exe
3372	Acqimo32.exe
536	Ajkaii32.exe
828	Aminee32.exe
1100	Aepefb32.exe
1992	Bfabnjjp.exe
1972	Bnhjohkb.exe
428	Bebblb32.exe
1952	Baicac32.exe
2524	Beeoaapl.exe
1592	Bjagjhnc.exe
2276	Balpgb32.exe
3340	Bgehcmmm.exe
4484	Bjddphlq.exe
1856	Banllbdn.exe
2672	Bclhhnca.exe
768	Bjfaeh32.exe
1504	Bmemac32.exe
2568	Belebq32.exe
5024	Chjaol32.exe
388	Cjinkg32.exe
2476	Cmgjgcgo.exe
4504	Cenahpha.exe
3040	Chmndlge.exe
4492	Cnffqf32.exe
1508	Caebma32.exe
3536	Cdcoim32.exe
2356	Cjmgfgdf.exe
3588	Cnicfe32.exe
3500	Cagobalc.exe
4376	Cdfkolkf.exe
2944	Cjpckf32.exe
4364	Cmnpgb32.exe
1656	Cajlhqjp.exe
2904	Cdhhdlid.exe
4156	Cffdpghg.exe
3024	Cmqmma32.exe
5072	Cegdnopg.exe
1520	Dhfajjoj.exe
3400	Djdmffnn.exe
3788	Dmcibama.exe
1644	Danecp32.exe
2028	Dhhnpjmh.exe
1660	Djgjlelk.exe
3556	Daqbip32.exe
4036	Dhkjej32.exe
1148	Dkifae32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Eflgme32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Aoglcqao.dll	Cenahpha.exe
File opened for modification	C:\Windows\SysWOW64\Cagobalc.exe	Cnicfe32.exe
File opened for modification	C:\Windows\SysWOW64\Cjpckf32.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Elkadb32.dll	Daekdooc.exe
File created	C:\Windows\SysWOW64\Bfddbh32.dll	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Phiifkjp.dll	Bnhjohkb.exe
File created	C:\Windows\SysWOW64\Beeoaapl.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File created	C:\Windows\SysWOW64\Okgoadbf.dll	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Dkifae32.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Deokon32.exe
File created	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File opened for modification	C:\Windows\SysWOW64\Balpgb32.exe	Bjagjhnc.exe
File opened for modification	C:\Windows\SysWOW64\Bmemac32.exe	Bjfaeh32.exe
File created	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Efmolq32.dll	Ampkof32.exe
File created	C:\Windows\SysWOW64\Ibaabn32.dll	Ageolo32.exe
File created	C:\Windows\SysWOW64\Afmhck32.exe	Acnlgp32.exe
File opened for modification	C:\Windows\SysWOW64\Amgapeea.exe	Afmhck32.exe
File opened for modification	C:\Windows\SysWOW64\Agglboim.exe	Aqncedbp.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File opened for modification	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File opened for modification	C:\Windows\SysWOW64\Bnhjohkb.exe	Bfabnjjp.exe
File created	C:\Windows\SysWOW64\Kmfiloih.dll	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Cmgjgcgo.exe	Cjinkg32.exe
File opened for modification	C:\Windows\SysWOW64\Cmqmma32.exe	Cffdpghg.exe
File opened for modification	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Qfcfml32.exe	Qceiaa32.exe
File created	C:\Windows\SysWOW64\Ageolo32.exe	Ampkof32.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File opened for modification	C:\Windows\SysWOW64\Pdpmpdbd.exe	ad96c66b78ba504302fa793e832b2400N.exe
File opened for modification	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Empbnb32.dll	Pdpmpdbd.exe
File created	C:\Windows\SysWOW64\Bclhhnca.exe	Banllbdn.exe
File created	C:\Windows\SysWOW64\Nbgngp32.dll	Danecp32.exe
File created	C:\Windows\SysWOW64\Ffpmlcim.dll	Cjpckf32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Dmcibama.exe
File created	C:\Windows\SysWOW64\Daekdooc.exe	Dogogcpo.exe
File created	C:\Windows\SysWOW64\Ehmdjdgk.dll	Ajanck32.exe
File opened for modification	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Mogqfgka.dll	Bjfaeh32.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Djgjlelk.exe	Dhhnpjmh.exe
File created	C:\Windows\SysWOW64\Dknpmdfc.exe	Dhocqigp.exe
File created	C:\Windows\SysWOW64\Jpcmfk32.dll	ad96c66b78ba504302fa793e832b2400N.exe
File created	C:\Windows\SysWOW64\Mglncdoj.dll	Amgapeea.exe
File opened for modification	C:\Windows\SysWOW64\Dmllipeg.exe	Dknpmdfc.exe
File opened for modification	C:\Windows\SysWOW64\Aqncedbp.exe	Ambgef32.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Dhocqigp.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Nedmmlba.dll	Caebma32.exe
File opened for modification	C:\Windows\SysWOW64\Dogogcpo.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Papbpdoi.dll	Qfcfml32.exe
File opened for modification	C:\Windows\SysWOW64\Bjfaeh32.exe	Bclhhnca.exe
File opened for modification	C:\Windows\SysWOW64\Cjinkg32.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Mgcail32.dll	Cmqmma32.exe
File opened for modification	C:\Windows\SysWOW64\Ambgef32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Acnlgp32.exe	Anadoi32.exe
File created	C:\Windows\SysWOW64\Fjbodfcj.dll	Aepefb32.exe
File created	C:\Windows\SysWOW64\Bjagjhnc.exe	Beeoaapl.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4132	3084	WerFault.exe	159

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qnjnnj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ambgef32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhhnpjmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qqijje32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad96c66b78ba504302fa793e832b2400N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beeoaapl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ageolo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cagobalc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Deokon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dogogcpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhocqigp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djdmffnn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdpmpdbd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qceiaa32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chmndlge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daekdooc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmkadgpo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjinkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfabnjjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfaigm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qdbiedpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnicfe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajkaii32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnhjohkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aminee32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhkdnkh.dll"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll"	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dhocqigp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbnb32.dll"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlogcip.dll"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfjhbihm.dll"	Chmndlge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qdbiedpa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Ambgef32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Aepefb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmfk32.dll"	ad96c66b78ba504302fa793e832b2400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cagobalc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmdjdgk.dll"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Aepefb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Qceiaa32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qqijje32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	ad96c66b78ba504302fa793e832b2400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkijij32.dll"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daqbip32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pdpmpdbd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Papbpdoi.dll"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chmndlge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjbpg32.dll"	Dmcibama.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Pfaigm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhpgj32.dll"	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	ad96c66b78ba504302fa793e832b2400N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Ajkaii32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfddbh32.dll"	Ajkaii32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	ad96c66b78ba504302fa793e832b2400N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebdijfii.dll"	Balpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Pfaigm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qfcfml32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bnhjohkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Danecp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Acnlgp32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4560	1316	ad96c66b78ba504302fa793e832b2400N.exe	83
PID 1316 wrote to memory of 4560	1316	ad96c66b78ba504302fa793e832b2400N.exe	83
PID 1316 wrote to memory of 4560	1316	ad96c66b78ba504302fa793e832b2400N.exe	83
PID 4560 wrote to memory of 1920	4560	Pdpmpdbd.exe	84
PID 4560 wrote to memory of 1920	4560	Pdpmpdbd.exe	84
PID 4560 wrote to memory of 1920	4560	Pdpmpdbd.exe	84
PID 1920 wrote to memory of 5076	1920	Pfaigm32.exe	85
PID 1920 wrote to memory of 5076	1920	Pfaigm32.exe	85
PID 1920 wrote to memory of 5076	1920	Pfaigm32.exe	85
PID 5076 wrote to memory of 1320	5076	Qmkadgpo.exe	86
PID 5076 wrote to memory of 1320	5076	Qmkadgpo.exe	86
PID 5076 wrote to memory of 1320	5076	Qmkadgpo.exe	86
PID 1320 wrote to memory of 4988	1320	Qdbiedpa.exe	87
PID 1320 wrote to memory of 4988	1320	Qdbiedpa.exe	87
PID 1320 wrote to memory of 4988	1320	Qdbiedpa.exe	87
PID 4988 wrote to memory of 5052	4988	Qceiaa32.exe	89
PID 4988 wrote to memory of 5052	4988	Qceiaa32.exe	89
PID 4988 wrote to memory of 5052	4988	Qceiaa32.exe	89
PID 5052 wrote to memory of 976	5052	Qfcfml32.exe	90
PID 5052 wrote to memory of 976	5052	Qfcfml32.exe	90
PID 5052 wrote to memory of 976	5052	Qfcfml32.exe	90
PID 976 wrote to memory of 2920	976	Qnjnnj32.exe	91
PID 976 wrote to memory of 2920	976	Qnjnnj32.exe	91
PID 976 wrote to memory of 2920	976	Qnjnnj32.exe	91
PID 2920 wrote to memory of 4080	2920	Qqijje32.exe	92
PID 2920 wrote to memory of 4080	2920	Qqijje32.exe	92
PID 2920 wrote to memory of 4080	2920	Qqijje32.exe	92
PID 4080 wrote to memory of 3980	4080	Ajanck32.exe	93
PID 4080 wrote to memory of 3980	4080	Ajanck32.exe	93
PID 4080 wrote to memory of 3980	4080	Ajanck32.exe	93
PID 3980 wrote to memory of 2008	3980	Ampkof32.exe	94
PID 3980 wrote to memory of 2008	3980	Ampkof32.exe	94
PID 3980 wrote to memory of 2008	3980	Ampkof32.exe	94
PID 2008 wrote to memory of 740	2008	Ageolo32.exe	96
PID 2008 wrote to memory of 740	2008	Ageolo32.exe	96
PID 2008 wrote to memory of 740	2008	Ageolo32.exe	96
PID 740 wrote to memory of 692	740	Ambgef32.exe	97
PID 740 wrote to memory of 692	740	Ambgef32.exe	97
PID 740 wrote to memory of 692	740	Ambgef32.exe	97
PID 692 wrote to memory of 1696	692	Aqncedbp.exe	98
PID 692 wrote to memory of 1696	692	Aqncedbp.exe	98
PID 692 wrote to memory of 1696	692	Aqncedbp.exe	98
PID 1696 wrote to memory of 224	1696	Agglboim.exe	99
PID 1696 wrote to memory of 224	1696	Agglboim.exe	99
PID 1696 wrote to memory of 224	1696	Agglboim.exe	99
PID 224 wrote to memory of 2388	224	Anadoi32.exe	101
PID 224 wrote to memory of 2388	224	Anadoi32.exe	101
PID 224 wrote to memory of 2388	224	Anadoi32.exe	101
PID 2388 wrote to memory of 5048	2388	Acnlgp32.exe	102
PID 2388 wrote to memory of 5048	2388	Acnlgp32.exe	102
PID 2388 wrote to memory of 5048	2388	Acnlgp32.exe	102
PID 5048 wrote to memory of 4336	5048	Afmhck32.exe	103
PID 5048 wrote to memory of 4336	5048	Afmhck32.exe	103
PID 5048 wrote to memory of 4336	5048	Afmhck32.exe	103
PID 4336 wrote to memory of 3372	4336	Amgapeea.exe	104
PID 4336 wrote to memory of 3372	4336	Amgapeea.exe	104
PID 4336 wrote to memory of 3372	4336	Amgapeea.exe	104
PID 3372 wrote to memory of 536	3372	Acqimo32.exe	105
PID 3372 wrote to memory of 536	3372	Acqimo32.exe	105
PID 3372 wrote to memory of 536	3372	Acqimo32.exe	105
PID 536 wrote to memory of 828	536	Ajkaii32.exe	106
PID 536 wrote to memory of 828	536	Ajkaii32.exe	106
PID 536 wrote to memory of 828	536	Ajkaii32.exe	106
PID 828 wrote to memory of 1100	828	Aminee32.exe	107

C:\Users\Admin\AppData\Local\Temp\ad96c66b78ba504302fa793e832b2400N.exe
"C:\Users\Admin\AppData\Local\Temp\ad96c66b78ba504302fa793e832b2400N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\Pdpmpdbd.exe
  C:\Windows\system32\Pdpmpdbd.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\SysWOW64\Pfaigm32.exe
    C:\Windows\system32\Pfaigm32.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\Qmkadgpo.exe
      C:\Windows\system32\Qmkadgpo.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\Qdbiedpa.exe
        
        C:\Windows\system32\Qdbiedpa.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1320
      - C:\Windows\SysWOW64\Qceiaa32.exe
        
        C:\Windows\system32\Qceiaa32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4988
        
        C:\Windows\SysWOW64\Qfcfml32.exe
        
        C:\Windows\system32\Qfcfml32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\SysWOW64\Qnjnnj32.exe
        
        C:\Windows\system32\Qnjnnj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\Qqijje32.exe
        
        C:\Windows\system32\Qqijje32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4080
        
        C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3980
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\SysWOW64\Ambgef32.exe
        
        C:\Windows\system32\Ambgef32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\SysWOW64\Agglboim.exe
        
        C:\Windows\system32\Agglboim.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3372
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1100
        
        C:\Windows\SysWOW64\Bfabnjjp.exe
        
        C:\Windows\system32\Bfabnjjp.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1992
        
        C:\Windows\SysWOW64\Bnhjohkb.exe
        
        C:\Windows\system32\Bnhjohkb.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:428
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2524
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2276
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3340
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4484
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\Bjfaeh32.exe
        
        C:\Windows\system32\Bjfaeh32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:768
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1504
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2568
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Cjinkg32.exe
        
        C:\Windows\system32\Cjinkg32.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2476
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4504
        
        C:\Windows\SysWOW64\Chmndlge.exe
        
        C:\Windows\system32\Chmndlge.exe
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3040
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3536
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\Cnicfe32.exe
        
        C:\Windows\system32\Cnicfe32.exe
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3588
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3500
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:2904
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3024
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        56⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\Dhhnpjmh.exe
        
        C:\Windows\system32\Dhhnpjmh.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        63⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\Dkifae32.exe
        
        C:\Windows\system32\Dkifae32.exe
        65⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        66⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1452
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        68⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3116
        
        C:\Windows\SysWOW64\Dogogcpo.exe
        
        C:\Windows\system32\Dogogcpo.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4940
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        70⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4896
        
        C:\Windows\SysWOW64\Dhocqigp.exe
        
        C:\Windows\system32\Dhocqigp.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        72⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 416
        74⤵
        Program crash
        
        PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3084 -ip 3084
1⤵
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
144KB

MD5
e19d80858e0528cc45c9810b005c28b4

SHA1
d6a1dfbcc63027036c4a3eab1ae81848e6b384ce

SHA256
2362997c1163942ce59e40bb32ee1ee3fbe3d88a8bf4165b24ddc6d7fdf956a6

SHA512
f1916b793954627c2e41807cbf9d5f647c21274eaae69b4862d5588028cdbbcba730808c831dad1a0abf847d104e20360ff06564f9c0ff45d9b3a6d1b7dd215a

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
144KB

MD5
63b26e13d1a20dbb738713c43a51411f

SHA1
eb87e0298dc0d370065a2b149e215e30bf24865e

SHA256
89dbac02d540b0700890e358c1988d7c90f0b43de9744bbd72394004de8ca6a8

SHA512
ad987b50971b3e71509b89b3c08dda04b3f62e9bc74c4795b2964af37a7ad4118f988ddbbb4a63af260fdb500d3a7e8b382286ef0633d9d30e566f92e5d877fa

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
144KB

MD5
def9b014abea013ca5a624a46f8eadcf

SHA1
4adcb660177b52e1276f591f3c71e7ea47bd7db0

SHA256
f729b2d95aace97a2a7a4f3381bf93877f657b6d8b297e9d64a06e6aec9b8bc5

SHA512
09bca2670bf54120a6f7787ed6754489263fd6632177b7d1b1d57fe965db9533a447dbd057e2d089fcaba4ff2eb6ced9f7ab681acb38f1ad99c5b077910a1997

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
144KB

MD5
25be8608706fd7ba402c0cf17c86cf08

SHA1
c9e4fb98dc33680e59a7c7b872ffd7ddee8a6032

SHA256
b600344880112269eade37c2a01c919ceb983a25f5a6f4db8f8320dcaeb284d7

SHA512
f4b35694c0d625e46af32bed55230cc9b0c562a03f99e827e429c2e7d378c1a596bac92a84735b75607a83f8fe231f4d5255426a8173953ed95da3cf297b572f

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
144KB

MD5
1a8ca86f10cf9e25684cb9f9a2702aac

SHA1
6bf0e36fe0a0c97cc786a4102063f68a7ee6122b

SHA256
13ea01f02a00529080c8e9d1344c02893a91ef9157558fa28e3ce5201a9a83cf

SHA512
afdce17ca4ed22a1948944a48c4d069db369fafc658a5d52083bccab73f431658735ebd3a911dc4137063894803f8d418bed61b48f17d06209c6501ba3e1c297

Download Submit
C:\Windows\SysWOW64\Agglboim.exe

Filesize
144KB

MD5
428f7a44366e374742cc65bf327624c3

SHA1
a1498c0ae18e07411d579968732db3f3caf12acb

SHA256
fd229338be835550d2ee3eb3623f658a023915b58a7383b99482d604c80ac2e1

SHA512
d3866dff3a96044d209c0d63415e2d273906b64c1600960ec97de2a9997b3c31a449bf1c59f5e57830bfa2193f11d8decc31b7aec4471adb29bbc2eea754c3c2

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
144KB

MD5
ef1a62b5aa919585c5da52ab530c1f3a

SHA1
1d7ba94e7f0df7124925bed33279e6a791a4fc09

SHA256
2ec022ce6ae3c7771cf9902f0246025f8c9f6df2a015c287d1dbfd0bcb5ec780

SHA512
13b3dc07f485564267a1809118f468df54205b323fb524e62f0640c4f5bedf455cf916c2963fb00c4ed2a8fa1c7761a902be4c976feee50e008a10ecb935f948

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
144KB

MD5
31127d1ca92385ed09985cc1e22d099d

SHA1
ace885fd905e7c60406a731402a176454e90583c

SHA256
a17f04d62ff9cfdc502b9b759354a582b83bd1123e06f516aadda10fc1308f7f

SHA512
53e07d0fe6d8ca8f5814dc1777148295d4838a39f236dbca944e2ef97822b9a71223599f1a48b979dee69326beb5d557f47db090faf496c9ab3dfe8ab765860b

Download Submit
C:\Windows\SysWOW64\Ambgef32.exe

Filesize
144KB

MD5
18c9bd22075d3f7893104c66cfc07667

SHA1
1aa2e62fe5f372adc5d4c04815dc8de2914b5c58

SHA256
43359dda41b476fd22588fc79f59cb5d85e6a822062a25439635ec5bae3868fd

SHA512
6d47125567e1181d15149fdb6b34c3077ba6b4f88924de0f63ca9710e19f2c0c7e288e30141fa3163f4c1ab4b15e618bd34c18ddd0dbd848dc93b7de20777729

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
144KB

MD5
afaf1b2b123e064a78f3c2b18215b214

SHA1
d2a5538ab219097a9639100609602329507d2cce

SHA256
308126736728af6930d51a45025f9e2e0b2aa984c4086785969764681a5dd737

SHA512
d65d7382042818526e351e3744dabdedee41e74fa1ea7dd8433d21fedb785c4805656b99149ba211729c4d3859af47a6981ba9ed762de087416e6d032887d576

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
144KB

MD5
85d6f7e0269a8440b2e45cc40e4b9edd

SHA1
c23306e8fb124f8a4eb2490e1277acab8f356aaa

SHA256
16f554a557d4cd5d5551d9a4588121449510317e3c189f79c94506d9ade7509b

SHA512
a86adceae06dc4e2c684159941dadb6e7e4197e35b5f05dd4f3e7b1b24179e7fa499302145fe42956ce31b94b451185f654159559c4e0cfd7bcfeb715cba1d87

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
144KB

MD5
37b006bd42a0e740da61817b994fc31f

SHA1
15640f858b1e1e1da0dce91be3a06beeb55bc801

SHA256
7982f8b554e55aacb255a39ca3a91c754c18be82508d7d78991b42d208d3cbbc

SHA512
7f38068104a39722b2e8c8a8ad4269ba75b1be073fb56e946d752aeb31779f450833401d0953b04f1a24cb9fca7f836ba03cccf94a97cdf6a0c558073ce2eeed

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
144KB

MD5
fe09f585b5ff53763a0b03d1e8b67a82

SHA1
b859cd62f79b61aa72128baeca672ea92f8b359e

SHA256
72252629666042ec59bef88b553af06c02dce243eec27edaeb89f42ff3cefa7c

SHA512
a99087a578ee22f8668a089aedd9ad37026b158e2f4457a813d275b5a56ca5665cbdf5214a26332e6cd5b8d8c8be5ea4a6b74078635dd6069e3eb23d268bf171

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
144KB

MD5
b29b08342b325b773e41bc612bd0a625

SHA1
608f1940e6086fda366023176dd4d8546dbec8fb

SHA256
40b7b68613873ff892d67e3cd272543e349a93d5a7d0ff3fcfc2c3e260778dae

SHA512
7e6431ac87bf7f860943d2c4e486fd8832e4a6e6d276aa4c9089f423f41d42334ccf0291a0d6625fc76da0cfb9b14040c50a3ae78714e2202c3019159dfb3c76

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
144KB

MD5
5cf65b7bd40f1017f28e47fa20654944

SHA1
61e3d18f79b3cb0cce968b35f638f1f7c56161e7

SHA256
2b485b70aed3ea58564ef106fd4364996d08e1c036d7a3e7dcf220c051176fef

SHA512
63d3b48c5d49e6548d35c866bc42b3c625528c852b89ae39c6401b6be80d6c1bc683f7d486829d3504af7f8a0000508a4f37d667854dad45b1f36fca99ff9c4e

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
144KB

MD5
dc4fc04512a0b33c02e7efbeabf6de91

SHA1
5361c6f4aa56e89e277c44b480cbdae6d770f6de

SHA256
fbf492269d59480459b11e75e0ab5e8851f85a6bbb1a263d4075cd0eb1234db3

SHA512
6e821c32f680fd1d9e33fcf0ab6c72de48cb04a2dc138891232be63c576b51e583a63b0710718bb88410c7132768e229c61a0f32727246cb8e61cf2579e4afa3

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
144KB

MD5
ba360310cc8cfa3b7d583a9e7f68f226

SHA1
89f9435a0d1cc45e4b920b7032c07cdd84289b9a

SHA256
003499e80ffea5650882b5ea0c6dcf0d3dbd48354fe8f99f590c867f41ad144b

SHA512
785a35c0db14b63fcd89ea6b3308721d2f07f978c299ac59809540f3fa1a6a5eef3e70121928b45906eff31fb70c33b11a0c066f8b0ed416a138f1e4cce8e0b4

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
144KB

MD5
f2a50d9aa5d6d28a3f37a5b5a13a0a7a

SHA1
edd73c143eaf45e01ec7726f5fefe710e2232803

SHA256
aede2d17d5870aa93ab89452510e0a938a0fadfb49c1c58544189dccf0660309

SHA512
7f5b9ee22ed5900b793062c39b96322ae415b8d4728245bc3cea4e38cca4282ab556789a6ab969a5baac8eaa834a812a834624112fa302c283a18bb6a09a3310

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
144KB

MD5
d605de3624f6e45a3f8e7191e157f469

SHA1
e5c2e36a276a6a99d404455f51ce053888f4ed71

SHA256
56706b43cadfe6f73c16bb34dfb35fc69a0ca51c544c75a540382e9134ebf3be

SHA512
b6ef906775ef0b89d439c64f5286743b2368500d41a261417fe04f99c06d6ecbebbe697dc049b1a3bbbf6acd40304d169621532a688fb302534c7c4252aa3d0e

Download Submit
C:\Windows\SysWOW64\Bfabnjjp.exe

Filesize
144KB

MD5
260bf16bbeb4a2c6570c1cada2a5c839

SHA1
6ebbcd8bca85963623581d9898632190a361fe16

SHA256
f6069ffb863de439f43e024ec6950e34e679e69175b530a0134674bc961dac6a

SHA512
070902349fc094cab1db50d34666f05ce7e7cd6654152f90202d8164f7acd3ab1915e518adf2d83d27262f51cf755dbd89f194dd1565aba2682d1fe95e42712f

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
144KB

MD5
daf023cb00d93fcf1b6376d277f81cb9

SHA1
ccbef4b9302e060e5725324f15b744f56088b66b

SHA256
ef45c79284c6e603d0b2e05f073c59a6d26cb3e71dbd0e98d404a1bff3d340e3

SHA512
686bc1e1cd3e4f9674d790c794497d7f30bd48762d69634ddfdf82089bf223254a456e006f51b0911544da6772e087e9dbb5e6d28cdaa577f7709b183b48991d

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
144KB

MD5
022c4b11ec19e9ae51a7952516d10273

SHA1
1cf2339b28067e6ee3dc9f9e49c9ae15a7e7cb2c

SHA256
f5aa63b589a8388875535df4395edfb7cb860e3b1bea376258ea31262556bd9b

SHA512
37c305c987eee54ca6203e958c911fd46447587d38a43ded5059c4ee24558d3e1460bb7dda09e91cfe20a3c6df5df50c500a32171c117d830febfddc38796bc5

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
144KB

MD5
df6ba13275027a50a2ee381474ef2b1a

SHA1
31212fe33b83eac5892d2dfb814fb8c9474ae208

SHA256
8e210e3d289f99d3d337d482d0bcffa7e51146bf5721290c4dd8157dced296e1

SHA512
673c237afb8a8ba5b9e6ced4096faa8faa62f3410c92ee54944b4fae9c1f57078d34a63d5d12864e4162234366babad81bd46e05868d3356f408a00736aacdf5

Download Submit
C:\Windows\SysWOW64\Bnhjohkb.exe

Filesize
144KB

MD5
196a2e44f2344446562522cdc7a44353

SHA1
93ca0d3a19c8beda8af15faefa2a24a69a30a5a9

SHA256
4d299c96c8cfa3bcfd19a725b4b52b8ea0bdc5dece9961f8f4c7433a33fc0e32

SHA512
6cb6c6efc5e0c26d3fc1dbb4681bb4378556c444a4ce19f5f4e0195091a33cab7d1b229240e7ceb8bdace0dacf0cbcda451dfb3e237284505ed468794d7ea919

Download Submit
C:\Windows\SysWOW64\Cffdpghg.exe

Filesize
144KB

MD5
84052eb36d31d71df92f0e3997d031bf

SHA1
5e9e15a210bcc994bcdd80feb8bbda2c032c9413

SHA256
21bc7c1c01b30695c7cee241b02c930eb56e96c3e254063d66798aa03c7e11a9

SHA512
24a1bd1962d925444aca2f7b0eb498ae408f864227cee032517b2144fed510a2fedfac6a7a05ae8ad64fe9afe77a89209b46e458b2ee6f8bc45017653d162fbb

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
144KB

MD5
a4a2504bc65e7003eb9a1d53668ed0f1

SHA1
ed135828eb04b7a68ac685c1d21e2dd8ab1416d3

SHA256
de07a2f86b52bc1831cc284c9036fe5a3c5f76e91ba9def33a271a6774255fde

SHA512
ea6e5336a4ffc354e8bb449f8d26c87d99323a68f02bafb10b73b3534126f38492fb9c7202b04a21a55db37327800670c55fcf4f132fe560826e68a83870d982

Download Submit
C:\Windows\SysWOW64\Deokon32.exe

Filesize
144KB

MD5
415dcd2b15a969c107e831df5285b181

SHA1
1e5b83a5d2fd8ef6ccde95b9e9b8dfa1b9e50e80

SHA256
2f9b7033cf7ea3639fa8669eaba0bcec4e9f3cac02b9aaa4c98b71e9e9833c60

SHA512
b5cc7fd6e742953abd635020c65468e5db3e60251841900eacee5ad6a8f1f1cd7b9d11cc109742d2cf9d11df6a6decfe44fc1162bb224e4391a28c8d7d79b92b

Download Submit
C:\Windows\SysWOW64\Djnkap32.dll

Filesize
7KB

MD5
34d9408126c87f67926be522cc4fc75a

SHA1
528a805fc5f7ebb63ee9b5a245adec3018dcb036

SHA256
a0c7f23d6a277ede2745dd620eefd50a7106680e6546aaf3841272e609df5a3c

SHA512
bab8f2adba7732b43efa4016f303234f019f65593cfe80dd5c67e90583345f6b2c428f87d3070a2365affa4c8826217da4617a7bbdd464a704af0dae5acf11da

Download Submit
C:\Windows\SysWOW64\Pdpmpdbd.exe

Filesize
144KB

MD5
8489d7f02c3ea590ca3675f1727d7924

SHA1
82e69154bfd8cc387ae86bbe5e35d3d226f66bd4

SHA256
a5a68def2f408141454c64193ba61247139936217b489362b3c65e715de89d55

SHA512
760203673fc1d0a18ac3bd8efed6fd62d618be029ad879e7aa6d31d04ddbc8add78ee474a8d96711c463c6039c8c7a18f0bb3a4969a2b60be13e681093df365b

Download Submit
C:\Windows\SysWOW64\Pfaigm32.exe

Filesize
144KB

MD5
d258ef40df654ea9473e676bbb3fbb89

SHA1
0f93a8d0116f402ca077d776258d9bc393d5ac1d

SHA256
4331e588f3c9249ede24d60c46ef7f41e1080a2334529a9c060c7c6915746093

SHA512
ee038baa63a8763016ff001441b560712599b483062a3776e0d58f466108a26542ebd8f3b9aa0dd10fdeca8530d6ee44f31dd5d7f38d9823e89f8abd41f26c59

Download Submit
C:\Windows\SysWOW64\Qceiaa32.exe

Filesize
144KB

MD5
6e7de8074ededa57294b03403869ad8c

SHA1
b44050ad54fb7522e983d2a5743d761c8a431f88

SHA256
39eee1f2b1ef19ec938b7d8722a6ee98ee2a66a79001cf7bd7c227d6eb65dcc9

SHA512
96afccfe68765245fab61c8fe013590e36dde717f4ba06d1a78cd6dbe0afc363c4b41c3e6f8279feb666a28f5e9243919d0d74a9fe397754d17637363a416acb

Download Submit
C:\Windows\SysWOW64\Qdbiedpa.exe

Filesize
144KB

MD5
24089e4650064d16ca9ced4646ec2bad

SHA1
9f9ac24ff46dae3a079cf8ffe270114c2131f387

SHA256
3bd3ffb8ac9e3e5e2167403b4cbef35bd3c1090a2340c63447dd864574c87ac3

SHA512
93ac23bd772a4619b32822660a9ba2fac4763c6ef754de1868d80daf5953340cef0fd99ddabb621e7819a4891826563461eb5ee8d8f5b8ea064400e73ee77cfb

Download Submit
C:\Windows\SysWOW64\Qfcfml32.exe

Filesize
144KB

MD5
24f86e46163d66ef2de862a863cb383b

SHA1
3bfd50d1322af2c9194a7deb3cbe9d0f2f53e7c7

SHA256
46cdb3297ae93f68b90c3b970f0cdafae1e46b592d4e453c6ee9bdf091d51921

SHA512
53c671b93623560d8fc8fa34e50cbad55107c00ac9cb60c3a4ef05838a3850a00953bbc82ae71cf7778c98c739562b61e15330fc0414af2b49ff9a603e3e739a

Download Submit
C:\Windows\SysWOW64\Qmkadgpo.exe

Filesize
144KB

MD5
ef893279ba81b31374a927368ca00db6

SHA1
8375457a823c415c8e336a92f35e044329e9075f

SHA256
9fd3748e2ab91507186468a7a46d8fc25414fbfec556502a7a69c3d5a8c5bd24

SHA512
eb2d6d3930a20eaf672a9ec77af10e24fa31054fb8c3d608e92847b362be24bd3acc9d3127edd2233cef7dd5021b3494db111dd0e7109044fc8b640f05566ad5

Download Submit
C:\Windows\SysWOW64\Qnjnnj32.exe

Filesize
144KB

MD5
5a849b69d2e751bdda2243a968d6fc03

SHA1
02f919ff693d416b3f55c3607112e920f9978d20

SHA256
462577d4736aa28c8046250f25f74db4106bbe202f0a036792c7cd836856da79

SHA512
18e7e65809105d8eee7eff9f194a1d54984764b940913a9e0c94cba0c818e07156260dfcabe13596253c4cdd3ba826278d9c355064b1fb71f246d9410547785d

Download Submit
C:\Windows\SysWOW64\Qqijje32.exe

Filesize
144KB

MD5
a480fc9c2a9e031ecc72518b99c0e956

SHA1
7ed4143aaecb4cbf2262033fd5faaba7cab07338

SHA256
f80031cc86d2e10cbf27a527cbe22476857371d307d6399d39014706cca36686

SHA512
a341901ee4e7b114fc749df0c2ea8ce5268eab502f6013226044d1b437f052aa2718a8e2ee0d804d11c16293d920882e451c86a25d150cba10ca7837dfa2b17c

Download Submit
memory/224-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/388-292-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/428-199-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/536-159-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/692-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-96-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/768-268-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-167-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1100-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1148-452-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1316-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1320-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-454-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-511-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1504-274-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1508-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1520-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1592-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1644-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-370-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1656-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-518-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1660-430-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1696-111-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1856-255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1920-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1972-191-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1992-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2008-87-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-424-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2028-520-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2276-231-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2356-334-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2388-127-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2476-298-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2524-215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2568-280-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2672-262-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-536-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2904-376-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2920-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-542-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2944-358-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-532-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-388-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3040-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-496-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-498-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-466-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3116-507-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3340-239-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3372-151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-406-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3400-526-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3500-346-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3536-328-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-516-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-436-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3588-340-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-524-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3788-412-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3880-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3980-79-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-514-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4036-442-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4080-71-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4156-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4336-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-364-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4364-540-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-352-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4376-544-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-490-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4380-500-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4484-247-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4492-316-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4504-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4560-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-504-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4896-478-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4940-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-484-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4976-502-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5024-286-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-135-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5052-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-394-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5076-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads