ca8a60359f4bf166a89b64d88b0127cab5d96993e4fc53e56482678b31a3de16

Analysis

max time kernel
96s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2024 00:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

737a93b095658884696bd0a6ae1499e0N.exe
Size

1.1MB
MD5

737a93b095658884696bd0a6ae1499e0
SHA1

25ca48b5c9d618ebda010de5119469182d9d4bfb
SHA256

ca8a60359f4bf166a89b64d88b0127cab5d96993e4fc53e56482678b31a3de16
SHA512

a0113a9ccb31ae18426a07ed4663f2b8ec227b661888784649c052783d42f2ba2cab3ac75c2c27a4d8630372cf830e5d45c558d65f356e846283e0d47684cd00
SSDEEP

12288:vkSV1hLrQg5Z/+zrWAIAqWim/+zrWAI5KFukEyDucEQX:vNhLrQg5ZmvFimm0HkEyDucEQX

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddmaok32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddonekbl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beeoaapl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bnmcjg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Caebma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmcibama.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjkjpgfi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Ddakjkqi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dddhpjof.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cjpckf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhfajjoj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Acjclpcf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Amgapeea.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfnjafap.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfiafg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bjagjhnc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beglgani.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnpppgdj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dejacond.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cmgjgcgo.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Cdcoim32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cjmgfgdf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmlcbbcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnpgb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Beihma32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ddakjkqi.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjddphlq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmjocp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnnlaehj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Dmjocp32.exe

Executes dropped EXE 64 IoCs

pid	Process
3400	Qjoankoi.exe
1904	Qmmnjfnl.exe
2316	Acjclpcf.exe
4556	Aeiofcji.exe
2124	Anadoi32.exe
1936	Amgapeea.exe
1300	Acqimo32.exe
2832	Bjmnoi32.exe
3420	Bmkjkd32.exe
512	Bfdodjhm.exe
3668	Bmngqdpj.exe
1748	Beeoaapl.exe
1672	Bgcknmop.exe
2996	Bjagjhnc.exe
536	Bnmcjg32.exe
4624	Balpgb32.exe
2328	Beglgani.exe
2284	Bgehcmmm.exe
4600	Bjddphlq.exe
5024	Bnpppgdj.exe
2508	Banllbdn.exe
3112	Beihma32.exe
4028	Bfkedibe.exe
1868	Bnbmefbg.exe
3528	Bmemac32.exe
2252	Belebq32.exe
2544	Chjaol32.exe
1520	Cfmajipb.exe
4824	Cndikf32.exe
3260	Cfpnph32.exe
4904	Cjkjpgfi.exe
2352	Cmiflbel.exe
808	Caebma32.exe
2200	Cdcoim32.exe
3820	Chokikeb.exe
5068	Cjmgfgdf.exe
3740	Cmlcbbcj.exe
5092	Cagobalc.exe
4204	Cdfkolkf.exe
1020	Cfdhkhjj.exe
4368	Cjpckf32.exe
1472	Cmnpgb32.exe
3752	Cajlhqjp.exe
4280	Cdhhdlid.exe
3232	Chcddk32.exe
4248	Cffdpghg.exe
2320	Cnnlaehj.exe
3184	Cmqmma32.exe
3004	Cegdnopg.exe
3396	Dhfajjoj.exe
4396	Dfiafg32.exe
4116	Dopigd32.exe
208	Dmcibama.exe
2836	Dejacond.exe
4276	Ddmaok32.exe
2740	Dfknkg32.exe
5108	Djgjlelk.exe
4620	Dmefhako.exe
4956	Daqbip32.exe
1244	Ddonekbl.exe
4052	Dfnjafap.exe
768	Dodbbdbb.exe
4936	Daconoae.exe
2280	Ddakjkqi.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Cdcoim32.exe	Caebma32.exe
File created	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Lpggmhkg.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Dhfajjoj.exe	Cegdnopg.exe
File opened for modification	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Bobiobnp.dll	Dkkcge32.exe
File created	C:\Windows\SysWOW64\Aeiofcji.exe	Acjclpcf.exe
File opened for modification	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Beglgani.exe	Balpgb32.exe
File opened for modification	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File opened for modification	C:\Windows\SysWOW64\Cjkjpgfi.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Dopigd32.exe	Dfiafg32.exe
File created	C:\Windows\SysWOW64\Ohmoom32.dll	Dmjocp32.exe
File opened for modification	C:\Windows\SysWOW64\Qjoankoi.exe	737a93b095658884696bd0a6ae1499e0N.exe
File created	C:\Windows\SysWOW64\Dchfiejc.dll	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dmcibama.exe	Dopigd32.exe
File created	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Ddakjkqi.exe	Daconoae.exe
File created	C:\Windows\SysWOW64\Gifhkeje.dll	Daconoae.exe
File created	C:\Windows\SysWOW64\Bnpppgdj.exe	Bjddphlq.exe
File created	C:\Windows\SysWOW64\Flgehc32.dll	Cmgjgcgo.exe
File created	C:\Windows\SysWOW64\Ghilmi32.dll	Cdfkolkf.exe
File opened for modification	C:\Windows\SysWOW64\Cajlhqjp.exe	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Cffdpghg.exe	Chcddk32.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dfnjafap.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Akichh32.dll	Beeoaapl.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Cmqmma32.exe
File created	C:\Windows\SysWOW64\Dddhpjof.exe	Daekdooc.exe
File created	C:\Windows\SysWOW64\Gfnphnen.dll	Aeiofcji.exe
File created	C:\Windows\SysWOW64\Acqimo32.exe	Amgapeea.exe
File created	C:\Windows\SysWOW64\Fqjamcpe.dll	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Ddonekbl.exe	Daqbip32.exe
File created	C:\Windows\SysWOW64\Feibedlp.dll	Acjclpcf.exe
File created	C:\Windows\SysWOW64\Bfdodjhm.exe	Bmkjkd32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Dmefhako.exe	Djgjlelk.exe
File created	C:\Windows\SysWOW64\Oammoc32.dll	Dodbbdbb.exe
File created	C:\Windows\SysWOW64\Dkkcge32.exe	Dhmgki32.exe
File created	C:\Windows\SysWOW64\Balpgb32.exe	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmlcbbcj.exe	Cjmgfgdf.exe
File created	C:\Windows\SysWOW64\Fpdaoioe.dll	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Chjaol32.exe	Belebq32.exe
File created	C:\Windows\SysWOW64\Daqbip32.exe	Dmefhako.exe
File opened for modification	C:\Windows\SysWOW64\Bmngqdpj.exe	Bfdodjhm.exe
File opened for modification	C:\Windows\SysWOW64\Cfmajipb.exe	Chjaol32.exe
File created	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File opened for modification	C:\Windows\SysWOW64\Dfnjafap.exe	Ddonekbl.exe
File created	C:\Windows\SysWOW64\Dhmgki32.exe	Ddakjkqi.exe
File created	C:\Windows\SysWOW64\Chempj32.dll	737a93b095658884696bd0a6ae1499e0N.exe
File created	C:\Windows\SysWOW64\Leqcid32.dll	Bfdodjhm.exe
File created	C:\Windows\SysWOW64\Hfggmg32.dll	Bjddphlq.exe
File opened for modification	C:\Windows\SysWOW64\Chokikeb.exe	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Clghpklj.dll	Cmnpgb32.exe
File created	C:\Windows\SysWOW64\Iphcjp32.dll	Bnmcjg32.exe
File created	C:\Windows\SysWOW64\Cmiflbel.exe	Cjkjpgfi.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bjagjhnc.exe
File created	C:\Windows\SysWOW64\Gallfmbn.dll	Bmemac32.exe
File created	C:\Windows\SysWOW64\Dnieoofh.dll	Cdcoim32.exe
File created	C:\Windows\SysWOW64\Dfknkg32.exe	Ddmaok32.exe
File created	C:\Windows\SysWOW64\Beeppfin.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Gblnkg32.dll	Banllbdn.exe

Program crash 1 IoCs

pid	pid_target	Process
5196	2624	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acqimo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cffdpghg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmqmma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgcknmop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjddphlq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dejacond.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjagjhnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chokikeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjpckf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmcibama.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daqbip32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnbmefbg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chjaol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnnlaehj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acjclpcf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeiofcji.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgjgcgo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjkjpgfi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmjocp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banllbdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhmgki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	737a93b095658884696bd0a6ae1499e0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bgehcmmm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhfajjoj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Balpgb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmemac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cjmgfgdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dopigd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daconoae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnpppgdj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Belebq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caebma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdcoim32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Djgjlelk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dknpmdfc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amgapeea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmngqdpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfpnph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cegdnopg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddonekbl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gallfmbn.dll"	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghilmi32.dll"	Cdfkolkf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gifhkeje.dll"	Daconoae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dkkcge32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmnpgb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmjocp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll"	Bmngqdpj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eflgme32.dll"	Bgcknmop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gidbim32.dll"	Djgjlelk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Acqimo32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chokikeb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobiobnp.dll"	Dkkcge32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mglncdoj.dll"	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	737a93b095658884696bd0a6ae1499e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmmlba.dll"	Caebma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cdhhdlid.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Qmmnjfnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Chjaol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dejacond.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfnphnen.dll"	Aeiofcji.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bjddphlq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cdfkolkf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Beeoaapl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Anadoi32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bmemac32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Daconoae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	737a93b095658884696bd0a6ae1499e0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphcjp32.dll"	Bnmcjg32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bgehcmmm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogqfgka.dll"	Bnbmefbg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cmqmma32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Amgapeea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Banllbdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Cffdpghg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cffdpghg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Dhfajjoj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfdhkhjj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Banllbdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amjknl32.dll"	Daekdooc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcail32.dll"	Cmqmma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Bmkjkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfihel32.dll"	Belebq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfhhm32.dll"	Cndikf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Cegdnopg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 3400	2228	737a93b095658884696bd0a6ae1499e0N.exe	83
PID 2228 wrote to memory of 3400	2228	737a93b095658884696bd0a6ae1499e0N.exe	83
PID 2228 wrote to memory of 3400	2228	737a93b095658884696bd0a6ae1499e0N.exe	83
PID 3400 wrote to memory of 1904	3400	Qjoankoi.exe	84
PID 3400 wrote to memory of 1904	3400	Qjoankoi.exe	84
PID 3400 wrote to memory of 1904	3400	Qjoankoi.exe	84
PID 1904 wrote to memory of 2316	1904	Qmmnjfnl.exe	85
PID 1904 wrote to memory of 2316	1904	Qmmnjfnl.exe	85
PID 1904 wrote to memory of 2316	1904	Qmmnjfnl.exe	85
PID 2316 wrote to memory of 4556	2316	Acjclpcf.exe	87
PID 2316 wrote to memory of 4556	2316	Acjclpcf.exe	87
PID 2316 wrote to memory of 4556	2316	Acjclpcf.exe	87
PID 4556 wrote to memory of 2124	4556	Aeiofcji.exe	88
PID 4556 wrote to memory of 2124	4556	Aeiofcji.exe	88
PID 4556 wrote to memory of 2124	4556	Aeiofcji.exe	88
PID 2124 wrote to memory of 1936	2124	Anadoi32.exe	91
PID 2124 wrote to memory of 1936	2124	Anadoi32.exe	91
PID 2124 wrote to memory of 1936	2124	Anadoi32.exe	91
PID 1936 wrote to memory of 1300	1936	Amgapeea.exe	92
PID 1936 wrote to memory of 1300	1936	Amgapeea.exe	92
PID 1936 wrote to memory of 1300	1936	Amgapeea.exe	92
PID 1300 wrote to memory of 2832	1300	Acqimo32.exe	93
PID 1300 wrote to memory of 2832	1300	Acqimo32.exe	93
PID 1300 wrote to memory of 2832	1300	Acqimo32.exe	93
PID 2832 wrote to memory of 3420	2832	Bjmnoi32.exe	94
PID 2832 wrote to memory of 3420	2832	Bjmnoi32.exe	94
PID 2832 wrote to memory of 3420	2832	Bjmnoi32.exe	94
PID 3420 wrote to memory of 512	3420	Bmkjkd32.exe	95
PID 3420 wrote to memory of 512	3420	Bmkjkd32.exe	95
PID 3420 wrote to memory of 512	3420	Bmkjkd32.exe	95
PID 512 wrote to memory of 3668	512	Bfdodjhm.exe	96
PID 512 wrote to memory of 3668	512	Bfdodjhm.exe	96
PID 512 wrote to memory of 3668	512	Bfdodjhm.exe	96
PID 3668 wrote to memory of 1748	3668	Bmngqdpj.exe	97
PID 3668 wrote to memory of 1748	3668	Bmngqdpj.exe	97
PID 3668 wrote to memory of 1748	3668	Bmngqdpj.exe	97
PID 1748 wrote to memory of 1672	1748	Beeoaapl.exe	98
PID 1748 wrote to memory of 1672	1748	Beeoaapl.exe	98
PID 1748 wrote to memory of 1672	1748	Beeoaapl.exe	98
PID 1672 wrote to memory of 2996	1672	Bgcknmop.exe	99
PID 1672 wrote to memory of 2996	1672	Bgcknmop.exe	99
PID 1672 wrote to memory of 2996	1672	Bgcknmop.exe	99
PID 2996 wrote to memory of 536	2996	Bjagjhnc.exe	100
PID 2996 wrote to memory of 536	2996	Bjagjhnc.exe	100
PID 2996 wrote to memory of 536	2996	Bjagjhnc.exe	100
PID 536 wrote to memory of 4624	536	Bnmcjg32.exe	101
PID 536 wrote to memory of 4624	536	Bnmcjg32.exe	101
PID 536 wrote to memory of 4624	536	Bnmcjg32.exe	101
PID 4624 wrote to memory of 2328	4624	Balpgb32.exe	102
PID 4624 wrote to memory of 2328	4624	Balpgb32.exe	102
PID 4624 wrote to memory of 2328	4624	Balpgb32.exe	102
PID 2328 wrote to memory of 2284	2328	Beglgani.exe	103
PID 2328 wrote to memory of 2284	2328	Beglgani.exe	103
PID 2328 wrote to memory of 2284	2328	Beglgani.exe	103
PID 2284 wrote to memory of 4600	2284	Bgehcmmm.exe	104
PID 2284 wrote to memory of 4600	2284	Bgehcmmm.exe	104
PID 2284 wrote to memory of 4600	2284	Bgehcmmm.exe	104
PID 4600 wrote to memory of 5024	4600	Bjddphlq.exe	105
PID 4600 wrote to memory of 5024	4600	Bjddphlq.exe	105
PID 4600 wrote to memory of 5024	4600	Bjddphlq.exe	105
PID 5024 wrote to memory of 2508	5024	Bnpppgdj.exe	106
PID 5024 wrote to memory of 2508	5024	Bnpppgdj.exe	106
PID 5024 wrote to memory of 2508	5024	Bnpppgdj.exe	106
PID 2508 wrote to memory of 3112	2508	Banllbdn.exe	107

C:\Users\Admin\AppData\Local\Temp\737a93b095658884696bd0a6ae1499e0N.exe
"C:\Users\Admin\AppData\Local\Temp\737a93b095658884696bd0a6ae1499e0N.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228
- C:\Windows\SysWOW64\Qjoankoi.exe
  C:\Windows\system32\Qjoankoi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1904
  - - C:\Windows\SysWOW64\Acjclpcf.exe
      C:\Windows\system32\Acjclpcf.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2316
    - - C:\Windows\SysWOW64\Aeiofcji.exe
        
        C:\Windows\system32\Aeiofcji.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2124
        
        C:\Windows\SysWOW64\Amgapeea.exe
        
        C:\Windows\system32\Amgapeea.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\SysWOW64\Acqimo32.exe
        
        C:\Windows\system32\Acqimo32.exe
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:512
        
        C:\Windows\SysWOW64\Bmngqdpj.exe
        
        C:\Windows\system32\Bmngqdpj.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\Beeoaapl.exe
        
        C:\Windows\system32\Beeoaapl.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Bgcknmop.exe
        
        C:\Windows\system32\Bgcknmop.exe
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\SysWOW64\Bjagjhnc.exe
        
        C:\Windows\system32\Bjagjhnc.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\SysWOW64\Balpgb32.exe
        
        C:\Windows\system32\Balpgb32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\SysWOW64\Bjddphlq.exe
        
        C:\Windows\system32\Bjddphlq.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\SysWOW64\Bnpppgdj.exe
        
        C:\Windows\system32\Bnpppgdj.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Banllbdn.exe
        
        C:\Windows\system32\Banllbdn.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1868
        
        C:\Windows\SysWOW64\Bmemac32.exe
        
        C:\Windows\system32\Bmemac32.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3528
        
        C:\Windows\SysWOW64\Belebq32.exe
        
        C:\Windows\system32\Belebq32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\Chjaol32.exe
        
        C:\Windows\system32\Chjaol32.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2544
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1520
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4824
        
        C:\Windows\SysWOW64\Cmgjgcgo.exe
        
        C:\Windows\system32\Cmgjgcgo.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3260
        
        C:\Windows\SysWOW64\Cjkjpgfi.exe
        
        C:\Windows\system32\Cjkjpgfi.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4904
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2352
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\Cdcoim32.exe
        
        C:\Windows\system32\Cdcoim32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2200
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\Cjmgfgdf.exe
        
        C:\Windows\system32\Cjmgfgdf.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5068
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        39⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3740
        
        C:\Windows\SysWOW64\Cagobalc.exe
        
        C:\Windows\system32\Cagobalc.exe
        40⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\Cjpckf32.exe
        
        C:\Windows\system32\Cjpckf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Cmnpgb32.exe
        
        C:\Windows\system32\Cmnpgb32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        45⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3752
        
        C:\Windows\SysWOW64\Cdhhdlid.exe
        
        C:\Windows\system32\Cdhhdlid.exe
        46⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\Cffdpghg.exe
        
        C:\Windows\system32\Cffdpghg.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4248
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\Cmqmma32.exe
        
        C:\Windows\system32\Cmqmma32.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        51⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3004
        
        C:\Windows\SysWOW64\Dhfajjoj.exe
        
        C:\Windows\system32\Dhfajjoj.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3396
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4396
        
        C:\Windows\SysWOW64\Dopigd32.exe
        
        C:\Windows\system32\Dopigd32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\Dmcibama.exe
        
        C:\Windows\system32\Dmcibama.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\Dejacond.exe
        
        C:\Windows\system32\Dejacond.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4276
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        58⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2740
        
        C:\Windows\SysWOW64\Djgjlelk.exe
        
        C:\Windows\system32\Djgjlelk.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4620
        
        C:\Windows\SysWOW64\Daqbip32.exe
        
        C:\Windows\system32\Daqbip32.exe
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\Ddonekbl.exe
        
        C:\Windows\system32\Ddonekbl.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1244
        
        C:\Windows\SysWOW64\Dfnjafap.exe
        
        C:\Windows\system32\Dfnjafap.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:768
        
        C:\Windows\SysWOW64\Daconoae.exe
        
        C:\Windows\system32\Daconoae.exe
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\Ddakjkqi.exe
        
        C:\Windows\system32\Ddakjkqi.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2280
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        67⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\Windows\SysWOW64\Dkkcge32.exe
        
        C:\Windows\system32\Dkkcge32.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\Dmjocp32.exe
        
        C:\Windows\system32\Dmjocp32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\Daekdooc.exe
        
        C:\Windows\system32\Daekdooc.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        71⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        72⤵
        Modifies registry class
        
        PID:4804
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        73⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2624 -s 408
        75⤵
        Program crash
        
        PID:5196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2624 -ip 2624
1⤵
PID:5172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Acjclpcf.exe

Filesize
1.1MB

MD5
4150ca1b1b7df6fff2160d86504d5b53

SHA1
ee7b1b5882d2ebbaafdeb7701af7e671a4fc502d

SHA256
89b0e17b41161c8120252445b9ce93d46285db05a038cc7c7ce78fe15b2d27c4

SHA512
145ff69cf429aaf53609044fcd7786f8a5c22283a4948874aa848acf9a78b15cfb4fcda1e83fae1a1c8a75c80bcb631adc9ca328d255fc0bdc546d69910af275

Download Submit
C:\Windows\SysWOW64\Acqimo32.exe

Filesize
1.1MB

MD5
789eb07284b4e33bda58b682a109779e

SHA1
f957114e73f5a6676814931d89b9ed202c7c9124

SHA256
e423e9a1e9714bbdebdf688371a1e6756f1ebc658dcb0163416a5449a83f9033

SHA512
ec7cad16abcc462f8665909a3732c353faa5ec85cdbd285a1c56ac726747b7e911d4ca4faf15c2151a32a75bc01f68ddf18ee87c5e752992f8b95476338550fa

Download Submit
C:\Windows\SysWOW64\Aeiofcji.exe

Filesize
1.1MB

MD5
3ee815fa2a42d18aa767f237b451b7e0

SHA1
c00c003f83e74ae8506b017db8af4a389d8026bb

SHA256
b5e5c134538839854681b0f30d08b5928e1f8c7777d1f519ed1f2f67a1f0c27f

SHA512
2a5927c0c3fc32ca271d65b0c63d947eaaa2903525c546a45946fc400e7d16b2cdd34bb0d807439f66ffd4a107264ce83479f02117aa8f72fc1255e1610c99d8

Download Submit
C:\Windows\SysWOW64\Amgapeea.exe

Filesize
1.1MB

MD5
893ef263c2b9bb86601a4bbfc2ae2f03

SHA1
d45ef98063367b4dad6e2f5695f26b505826fc32

SHA256
931d073d33eb6c2afd85a79e2455ab25f44b5f909b57bf0a46963d904bdbb431

SHA512
f302fb39efcbe5017dc325d602cd49954e2eb33afc0e9a8a325923ac024e175ae9c04333ed9a6c689e0802be96c38c03f0c6a54ea7f166613a2871b8ed08c279

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
1.1MB

MD5
972cfabbb28438a66b35b590b046fc60

SHA1
3e2f4d7e855db11b13264e7b23946ec9f7488e93

SHA256
ab79496e25929f0039c2eb2aa6e05448d6646f89523a652a45fc84fece58e376

SHA512
df36c01ec69c4dbce8b6b521f65fe88ea697465aeca33655616f9c939c8f5780a4e77d952286deb87032b830ebd6732bd48ff19ef0685b488b1460bfb6c7a97a

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
1.1MB

MD5
c49e1ad5f786d91583e92adaa0990d68

SHA1
0251f1968cfeec6689a72a8431c64381fc4d74cd

SHA256
dd2d0b215eb84b07af2b994f30a022f95e3b9484c9a479e018cb93411022a034

SHA512
4d2cbe620760125a73dfdcbe2172eacb120a9705e315cb460a96d7f5497366cb9ae99c9d595c7540ca9358bdc43be4428c5ba93a616724e8473e25d3b23256f4

Download Submit
C:\Windows\SysWOW64\Balpgb32.exe

Filesize
1.1MB

MD5
eb23e72c2809f8abfacddb88bd8869da

SHA1
cd82091b0afa9dfd966f1537566079e827ee2de5

SHA256
4209ed658b86ec929eea517b28df694af92360738b80de01f2f00480333a19a1

SHA512
04e5d5984497a36f4e50515b99e5f80115c37fabcc16f8a87bbb73dbb8554aafd306f1cda962ebfdad83fa62c4ee4a740cc7b86537cde9417a755c3e9804539f

Download Submit
C:\Windows\SysWOW64\Banllbdn.exe

Filesize
1.1MB

MD5
909948187d1fd49b99812c23d524a573

SHA1
b00a3fe18b054f3346d778610e1994cc56d1da1b

SHA256
fb53e6731b66474159d6fa51c48a3a368f4100f3216b5cdb547471f24e3bfcca

SHA512
b2fc38354f34bf92bf8923ec6ea31a9ad72fba9a48efe3eb8fba732e2cdb229c4f6b47f042c4bf61f7e8e48fc7fd6db6543dbd4a22e32f4de429481d56a684db

Download Submit
C:\Windows\SysWOW64\Beeoaapl.exe

Filesize
1.1MB

MD5
5d16d516247334dd95e470d374dfd980

SHA1
2ff33e191bb218610c35bffdebc4b801a222506a

SHA256
4f70e5b7735935802fabfd6cafb47215da4659b228bcd09f18dc56e5dab0b2ad

SHA512
e724845db0099e21d6b1dafd67a9cf1962252cdcb06a3ac530d476f9a9e72ecbc983bf34a3bc6342d54041570e1c5f20a95cfb4e39dd901b2af1f66d53ad3888

Download Submit
C:\Windows\SysWOW64\Beglgani.exe

Filesize
1.1MB

MD5
c60d3def9e4423c95188b7ca1dc9196e

SHA1
affc39bb0a213e1ecea54a773b8b9a1eb1cc39e6

SHA256
e53273c7d6f2dfe003a732e9dff0644456d3745fcf4f87ab400e1d601e98b6d4

SHA512
203fc969967932c75256776451d27e9958bd325c4fa19874256e9fde899d3a42d15056b455e4fe12ed425546834a071ee9ad1179737e28e5ef8406bbc5ef0630

Download Submit
C:\Windows\SysWOW64\Beihma32.exe

Filesize
1.1MB

MD5
87f9c462a9204abd746377772abedb8c

SHA1
11d36b74f10dc1f4a16afd30b4e264d6c73a9a47

SHA256
800367e3969902e39f0be9c4b04004f027b2a9b2041cd02e348889e1ece216ff

SHA512
107c7a360f7f7f33ad71e9dec1bbbaf14b0a70acf2a38def0b96e722c5ecfc428a62bbbb731afca6654672ab710f04e0474d0859281103469ac2f145a55a6d8d

Download Submit
C:\Windows\SysWOW64\Belebq32.exe

Filesize
1.1MB

MD5
b593e6a2423b80e11c759909069a0ddc

SHA1
69890a0eeb7ee0ecdf52f20f9f86f64186a69391

SHA256
1a336d735a4ba59f6fad994872889287b45599e3109d8a202c4daa1a1b0e4093

SHA512
1bdb68bf217e8d764f9014989125cfcc5dfa43d0ba3340af8eeafbf183dcb1d4a67fe9e1fd5b130c5eba56cfb714bbe3575d0e1a7933cbd1c5f053cf354466bb

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
1.1MB

MD5
b766a64b67c9f3364ab664df72afb2f9

SHA1
01034e6f16cc92e78942e3dffc532d86ce2c5d21

SHA256
923ef29728008059bc210ee745ad622e5ffe6c3ca569b44dbb95fb3887c5b4b0

SHA512
555a19c8661367b7df64cf870ac1ed0228e7361e65a1ca2a01f9993e0a96fe651ea2fdd6450f0cb75be81e52366098faed8da8eeb7d2dadf7d840a1702cb53b3

Download Submit
C:\Windows\SysWOW64\Bfkedibe.exe

Filesize
1.1MB

MD5
007ce25b5f1735c9ac4c75905742b568

SHA1
625d9de6c3393e2524c64177dc540f08e5252cdc

SHA256
ebea531fcea7b81b32a5daebda49a3e74f5592ad9884aec4e84697c57628fb04

SHA512
2a8f591a400272169674cb3a4201e0d99fe8065ea64bc7d212fd0396e3387215d63453de8dd4fd3aa6a604fe44b8d582c61b68f418ad32fc7ee6c5c03d6c5425

Download Submit
C:\Windows\SysWOW64\Bgcknmop.exe

Filesize
1.1MB

MD5
07a473e99508910982e29fa684c7a072

SHA1
0d0471db2f0a77f3cd8460fd63a413e682fcbdb2

SHA256
a37423fc8f043510f74d332a04e3df2be707568c7636fbc8e1d4fef4e0a04860

SHA512
efdcddbcec52663cce72568fec614ebd99398e0872aceb4ed674707de3ff1c99cd637dea27315d68875b06c1a1f8718be57fa7e98cfa6c1db6f3d9941be640eb

Download Submit
C:\Windows\SysWOW64\Bgehcmmm.exe

Filesize
1.1MB

MD5
7050c92c38e74ba014b5c20b6d0ac284

SHA1
482011cad81ae59805057106056ce78090d1c19a

SHA256
220d9033f881f197ac466eb14fbb870ef77b9cd0666e593a76423fb866dcd7ca

SHA512
afd283fecd94634f613d20f8b3055ff9325d25e9d844d9138aff33c3eaddc04628ca233c9b16e9d5bd0d121ef00c617cb12b91d7be46882edc4e59e8f6ea09f2

Download Submit
C:\Windows\SysWOW64\Bjagjhnc.exe

Filesize
1.1MB

MD5
31d583d749088161f4a5916ce55b92b0

SHA1
82770a250523e1802aca97ca675d7fcea23120ab

SHA256
e209b5300a0d13dbc72d9b759efc2602b498036166851dc0964bb230f3347a7a

SHA512
7077e802ecdfeaa98eaf03a577f4557c07c969f4fa56b247df98f673c580543f3efaa6edbcf96a43db3172d8aa012cb6bb8e76322fc32652ba5445c242ef80a1

Download Submit
C:\Windows\SysWOW64\Bjddphlq.exe

Filesize
1.1MB

MD5
4d9c0209ee677c7fa6a342a14ec31a3c

SHA1
c3e7279af21e11d74480c0a9bf51c2f526899308

SHA256
0f7347c46be1c7241c5199b6f809f3f9b39efbcba2f116f5920f9ff2f4b61cbb

SHA512
81b44400e26280ac5b98cf87939a8129d7631a51b6a9a86277281f9a0912fe4b69db17ad89d5c68ba46a57c74c43dc919d2d4823bd4d67eb64dd256294355c7c

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
1.1MB

MD5
6b9e6791d7eab72331b9d5c961a7fd1a

SHA1
a9e05cba6bc2c586cac86289f71a6cf17084e645

SHA256
6b3515b6e939fa285d95ae575f5fcf083de7e1d42e55944903d5611713b7729a

SHA512
e8ec368be3386e3461c7539147e1397e6a5ad7f1c49222d9d7465bf32eed55031b8c01d72e4f58e2953d3a8b8970710de78ad7ead7b586e421b0d0e25d24dc5a

Download Submit
C:\Windows\SysWOW64\Bmemac32.exe

Filesize
1.1MB

MD5
ab02b4ee1903a2a30d0a977c27764abe

SHA1
7ff4a78f4b1045f6c06232b46dcab8dee3d1267b

SHA256
5dc875b95f1bb279a9b2371c50b4e638cdd33c4bdd70074f993255db5639a966

SHA512
d470086e6cd12e2b2d5d9329f218d452deb5949d1cf4338a1e00413ac6d1535e394e619292e30c12463c50c728e521e5ce9147ba99b7f3300bcdb1a82c44b548

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
1.1MB

MD5
04626657a9a9b9f3c8f8bf132f6703e0

SHA1
56f6aab885d87a06e5573edd1d293f43d0ba7280

SHA256
58b82098024c7018a4d7719a814e2ae31be237d9a78497ea3085f5346635298d

SHA512
6308dc94804471eee6c8220efa48ca28a3663ec7984a0f58a0dd6ff97f3edfc5113de467a51428b874b79c558921246134168ca7a7eb03a66d03e0a9b9f168a6

Download Submit
C:\Windows\SysWOW64\Bmngqdpj.exe

Filesize
1.1MB

MD5
c3b84cb22986c8a5aac8a9602142e97a

SHA1
2023f68a4eec008d294fae7ba1bf37029c0dd115

SHA256
3eb84768e9470d3099ddcb9a2b16d70803d7fa3b7cb14f7e77ae748f75746501

SHA512
18dcb124219eef8e9abb4879539dd332c78e9f1d4b5a0242638bc4c5c95d43f537f0146976f2899ebd52e04bc813189a552d111b28103c2b0f03e1eb304b687c

Download Submit
C:\Windows\SysWOW64\Bnbmefbg.exe

Filesize
1.1MB

MD5
58ce8c0ed920151e6341512cb229d4bb

SHA1
1b81b138d0126c7a31810ec7642a7d2343746791

SHA256
358d8db5103cb9e328cbc8e090ca87d0c438e36995863e3fbed69fba43cc4887

SHA512
b7b23a1cb91118ba31763fad9c8ad4f690fa5e5542f961fbd2933d7339d875f51a57d5f77b7f9e878fbef3cd404dc463a0373f1e9dcff6ac41db2b1e7825044e

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
1.1MB

MD5
b6cbd76e078bda24273dfa5f87208a0c

SHA1
ff760e9ce22d3ccd9470355c6c23c55a49e87490

SHA256
7f7c21ef708240438954640fae24cb40febe9e793390e187f9928fc93b052764

SHA512
bc4f2c88d9f8183e3fd6b997bb408aa1d1f7c1198018dc78c46483cd298fb308fe0af44da2707959225f42cf89ea3a74cec6b18c1948dde6980440c5f075e4a8

Download Submit
C:\Windows\SysWOW64\Bnpppgdj.exe

Filesize
1.1MB

MD5
4d23ce54639a474866e2256e3703d24a

SHA1
cbe83393e47255eb34d3d8a8814b85271f8d4a25

SHA256
31b62c987f1ae287a5f0fd6764d9b8ce9cc2b1dcc3f858d781bb557d23485a64

SHA512
8f7f1acf59cac860a0a435f7502ca02a6d673fdcadd8212c01a591393ff3188871ea8a7950ae9af8cadfd433750dc3fb9c2649b28acc3127ddb675bdd57820b7

Download Submit
C:\Windows\SysWOW64\Caebma32.exe

Filesize
1.1MB

MD5
218e0fa7ced11210133a4c22d8a6d7d9

SHA1
fab9735f31c155790bf28e1920c4c4a3c5b056ac

SHA256
6fefc6669a646884b15e6b8f98ba4e2c9d322d6f8d8ca7f7b1706b26951bdb77

SHA512
8df54e9f50580d1e1c72b84a3d132e3c950b229a87edd7687bafe30edcdd59cc02b5a9aa8ef8350690746306b096104a8b4c7b609a3f63ddc2162d468897c4e1

Download Submit
C:\Windows\SysWOW64\Cfmajipb.exe

Filesize
1.1MB

MD5
a6300fd93faed881d5c2540ed2d5b1ca

SHA1
c590235d8fc79028f2b463c7dca4e8d9d2a5cf28

SHA256
8abe8217e0a25e76829d1b16b6b118de926c5a5855ebd457f957f47c33c3f27e

SHA512
ed41dd8957f4589546c9dafa73cba284aba3d3eecad3324aa986cc9158b7011e69dd094c1b78e2bd190369646fe6d5c6129fc109bdf03d5141bb0d0f9821b92d

Download Submit
C:\Windows\SysWOW64\Cfpnph32.exe

Filesize
1.1MB

MD5
40bc63fc9968c4ed29c37ede9203ba87

SHA1
daa688cb3066147ada9c91db3132f4756568cc67

SHA256
68457cd3cec6c2aefe600ac500e90445e28a1fe6c8aafe0df8b437d93e3222dc

SHA512
ca2e85057bebac40c7fd0afc440019ad14bf5f6b96c3898450ce6d9b337b80a665fd95535d7bda0427fe428533aeeee51046082a56c735ecbdd977104077d30f

Download Submit
C:\Windows\SysWOW64\Chjaol32.exe

Filesize
1.1MB

MD5
32e193b1fab8e3c1f8b49f451b5aa2b1

SHA1
e97f14e048a7444e4ec52cee31d3425e27d02065

SHA256
fb11b011dd8169bc31d81783a0f987a8f7957ee05d3031a0b271b954e4bc236e

SHA512
45b205a51a685fe9b79c4ab445423c77686387d9f6f9fe1f6f43cd1a3df5381a07b06efd33f4fa9a589c47d1e2d20b73c9d17b0329752ca8a07458caae909f75

Download Submit
C:\Windows\SysWOW64\Cjkjpgfi.exe

Filesize
1.1MB

MD5
0e52565dd59d60125af72ca1102fa1c1

SHA1
a64e1b7a35c7e04812e75782cffb0c6e06bf775f

SHA256
efad443a036fb847c6a53a159ecdc9c24ea693ccea7e82892c4814d27d3d563c

SHA512
37c83a2f404e808b22b19bf28dacc1e3bd91349987055c1cbb9cbf661e510e2dd768c7063a3ecbce6fc0050effe65203c452a896de146d4fdd1abb093283b4cb

Download Submit
C:\Windows\SysWOW64\Cmiflbel.exe

Filesize
1.1MB

MD5
8f81b114396e864499295fc3268864f8

SHA1
d45f8e2c288eed1fad8366b0abdc694fc71f0568

SHA256
a8c1cb286c3d3c59d535bbebfdd70db66a9eeb53249a97840c69c964b40c4682

SHA512
15a77f6413db374f1597c2972f3cc2c9d2171746b00c1e21da0892396741f3949df57098dcb01facb1ed610436bfdaec86844287028a6efef58da7a0cf613510

Download Submit
C:\Windows\SysWOW64\Cndikf32.exe

Filesize
1.1MB

MD5
7b7c3f40af1021f4875c486561361156

SHA1
9628918b8b7a46bf76859ec798d31ba40964e445

SHA256
c3d79b1618c36b46538090de7d6bea2a0fcd473e8706d8bed13c35a29114ad21

SHA512
a134ce6ccc434d0bf8a65232e621440c441c1b7eeecc9f94edf2c26d8798ca21508251ce8f3f6210f2bc8d6076bac8e720b696adc6587f9f9b5ed7b91405847e

Download Submit
C:\Windows\SysWOW64\Gfnphnen.dll

Filesize
7KB

MD5
0310649c090e864ca4a874480e305926

SHA1
0730b8398effe343564a28e1eb82e569de029adc

SHA256
14f28f853405e3ed81fcc6a8d73c2ba91c0bbc2cfba13a9782dd9b8792f7f9bd

SHA512
89f8dd56bb292fba1dfae45a9454bcd0db0a908e083932ad5d189fe5737cef62c42abbf5ceeaea18b2ff56b21ebdd036750525a46a72575c69db66e5b910cb79

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
1.1MB

MD5
f708bf8bf9c4a87f106e13bc64478a9d

SHA1
27b6a10c2b7c4cdab44a9d04c153bf77a722eaa4

SHA256
01797be2ad12184358c89fa34b0196e67555982af8c264bf7475a3dc01313a53

SHA512
19fce354642f50f42d240daf799a0fd188af7f7e38a1b391a75d9edfc8b29171ce05dbab690c287e205b17d1270ebe253919b83348ae0a00027a3da9887de6a8

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
1.1MB

MD5
f896687eb16d7d56adfb7fb311ca7acf

SHA1
580631e8017316920a2d706dbcadff76ce1b4e7b

SHA256
04e2be8b0cd5990d106a82e39b96aeb07f39bb858f38735bf979d5f968d117d2

SHA512
ace211cd8e7675d0f1f0679d402e38da2df344da7e278e20f2c33df6cc1900b40a3b3c553918bd2b790e2923f345f15fa7b84ff94a64d17eef34d8ef1cbc65fb

Download Submit
memory/208-481-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/512-504-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/512-81-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/536-442-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/760-493-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/768-490-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/808-461-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/968-499-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1020-468-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1244-488-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1300-55-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1300-508-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1344-496-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1472-470-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1516-457-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1520-455-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1672-441-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1748-503-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1748-99-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1868-451-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1904-98-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1904-16-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1936-506-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1936-48-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2124-507-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2124-39-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2200-462-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2228-80-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2228-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2252-453-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2280-492-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2284-445-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-23-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2316-440-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2320-475-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2328-444-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2352-460-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2360-494-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2508-448-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2544-454-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2624-500-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2740-484-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2832-68-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2836-482-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2996-501-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3004-477-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3112-449-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3140-495-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3184-476-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3232-473-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3260-458-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3396-478-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3400-8-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3400-93-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3420-505-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3420-72-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3528-452-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3668-94-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3740-465-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3752-471-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3820-463-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4028-450-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4052-489-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4116-480-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4204-467-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4248-474-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4276-483-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4280-472-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4368-469-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4392-497-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4396-479-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4556-502-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4556-31-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4600-446-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4620-486-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4624-443-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4804-498-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4824-456-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4904-459-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4936-491-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/4956-487-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5024-447-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5068-464-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5092-466-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5108-485-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads