4d660fbf1aa406db1de431278f8362d9a58f0267a657abe6089e74d4c1b46c01

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

badfce133753a04e97b649315c192b70N.exe
Size

81KB
MD5

badfce133753a04e97b649315c192b70
SHA1

ec7455c40663df8c7d3c509158659a5ba3b01642
SHA256

4d660fbf1aa406db1de431278f8362d9a58f0267a657abe6089e74d4c1b46c01
SHA512

1deea4df494181790857d706633b240abf324602b7e4f7458e374036789c7f2aac05e48c87e6019a4919703ae26ad149974e3ce4f46ead9e9ff7c9a3070064e4
SSDEEP

1536:B+WcMB+vrDfo7DDKCO4jEZAnF9OqeAnOu7m4LO++/+1m6KadhYxU33HX0L:IvrszHO44OF9OqeAOu/LrCimBaH8UH3M

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cegdnopg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajfhnjhq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajlhqjp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Calhnpgn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cnffqf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cfbkeh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Chcddk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	badfce133753a04e97b649315c192b70N.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ajanck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anadoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Beihma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Chokikeb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baicac32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bffkij32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dobfld32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Anogiicl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aglemn32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bjmnoi32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkedibe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cabfga32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cfpnph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqncedbp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bnkgeg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bcoenmao.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bcoenmao.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dmefhako.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aqppkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfhhoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dmefhako.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmbplc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapiabak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cabfga32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dfiafg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ageolo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Beglgani.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Danecp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	badfce133753a04e97b649315c192b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqppkd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aepefb32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afmhck32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ampkof32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aqncedbp.exe

Executes dropped EXE 64 IoCs

pid	Process
2528	Qjoankoi.exe
3404	Qmmnjfnl.exe
1580	Qgcbgo32.exe
2456	Ajanck32.exe
432	Ampkof32.exe
116	Adgbpc32.exe
540	Ageolo32.exe
3676	Ajckij32.exe
1748	Anogiicl.exe
740	Aqncedbp.exe
3640	Aclpap32.exe
4088	Ajfhnjhq.exe
5072	Anadoi32.exe
4580	Aqppkd32.exe
4884	Acnlgp32.exe
5048	Afmhck32.exe
3936	Andqdh32.exe
4732	Aeniabfd.exe
2228	Aglemn32.exe
2172	Ajkaii32.exe
4572	Aminee32.exe
696	Aepefb32.exe
2312	Agoabn32.exe
4188	Bjmnoi32.exe
4436	Bmkjkd32.exe
3076	Bebblb32.exe
3032	Bfdodjhm.exe
4312	Bnkgeg32.exe
2020	Baicac32.exe
1480	Bchomn32.exe
2140	Bffkij32.exe
3764	Bnmcjg32.exe
3308	Beglgani.exe
4780	Bgehcmmm.exe
516	Bfhhoi32.exe
3204	Bmbplc32.exe
4908	Beihma32.exe
1492	Bclhhnca.exe
2180	Bfkedibe.exe
2668	Bnbmefbg.exe
1560	Bapiabak.exe
3696	Bcoenmao.exe
4756	Cfmajipb.exe
2640	Cndikf32.exe
976	Cabfga32.exe
4720	Cenahpha.exe
2964	Cfpnph32.exe
4860	Cnffqf32.exe
1484	Cmiflbel.exe
3440	Caebma32.exe
232	Chokikeb.exe
5104	Cfbkeh32.exe
2776	Cmlcbbcj.exe
3848	Ceckcp32.exe
396	Cdfkolkf.exe
4828	Cfdhkhjj.exe
3108	Cnkplejl.exe
3952	Cajlhqjp.exe
1952	Chcddk32.exe
2144	Cnnlaehj.exe
1488	Calhnpgn.exe
4880	Cegdnopg.exe
4948	Dfiafg32.exe
2836	Djdmffnn.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Ajckij32.exe	Ageolo32.exe
File created	C:\Windows\SysWOW64\Ajkaii32.exe	Aglemn32.exe
File created	C:\Windows\SysWOW64\Jhbffb32.dll	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Jjjald32.dll	Danecp32.exe
File opened for modification	C:\Windows\SysWOW64\Cfdhkhjj.exe	Cdfkolkf.exe
File created	C:\Windows\SysWOW64\Danecp32.exe	Djdmffnn.exe
File opened for modification	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Aminee32.exe	Ajkaii32.exe
File created	C:\Windows\SysWOW64\Agoabn32.exe	Aepefb32.exe
File opened for modification	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File created	C:\Windows\SysWOW64\Ajanck32.exe	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Kofpij32.dll	Bgehcmmm.exe
File opened for modification	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Qeobam32.dll	Qgcbgo32.exe
File opened for modification	C:\Windows\SysWOW64\Bapiabak.exe	Bnbmefbg.exe
File created	C:\Windows\SysWOW64\Naeheh32.dll	Cnnlaehj.exe
File opened for modification	C:\Windows\SysWOW64\Dddhpjof.exe	Dhmgki32.exe
File opened for modification	C:\Windows\SysWOW64\Qmmnjfnl.exe	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Bmkjkd32.exe	Bjmnoi32.exe
File created	C:\Windows\SysWOW64\Jjlogcip.dll	Beihma32.exe
File opened for modification	C:\Windows\SysWOW64\Cfbkeh32.exe	Chokikeb.exe
File created	C:\Windows\SysWOW64\Mnjgghdi.dll	Aeniabfd.exe
File created	C:\Windows\SysWOW64\Aepefb32.exe	Aminee32.exe
File created	C:\Windows\SysWOW64\Bjmnoi32.exe	Agoabn32.exe
File created	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File opened for modification	C:\Windows\SysWOW64\Ageolo32.exe	Adgbpc32.exe
File created	C:\Windows\SysWOW64\Anogiicl.exe	Ajckij32.exe
File created	C:\Windows\SysWOW64\Hpoddikd.dll	Acnlgp32.exe
File created	C:\Windows\SysWOW64\Echegpbb.dll	Afmhck32.exe
File created	C:\Windows\SysWOW64\Cnkplejl.exe	Cfdhkhjj.exe
File opened for modification	C:\Windows\SysWOW64\Dodbbdbb.exe	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Deokon32.exe	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Anadoi32.exe	Ajfhnjhq.exe
File created	C:\Windows\SysWOW64\Dhkjej32.exe	Delnin32.exe
File created	C:\Windows\SysWOW64\Amfoeb32.dll	Dodbbdbb.exe
File opened for modification	C:\Windows\SysWOW64\Bchomn32.exe	Baicac32.exe
File created	C:\Windows\SysWOW64\Alcidkmm.dll	Dfknkg32.exe
File created	C:\Windows\SysWOW64\Cegdnopg.exe	Calhnpgn.exe
File opened for modification	C:\Windows\SysWOW64\Aeniabfd.exe	Andqdh32.exe
File created	C:\Windows\SysWOW64\Bneljh32.dll	Bnkgeg32.exe
File created	C:\Windows\SysWOW64\Cndikf32.exe	Cfmajipb.exe
File opened for modification	C:\Windows\SysWOW64\Cenahpha.exe	Cabfga32.exe
File created	C:\Windows\SysWOW64\Bgehcmmm.exe	Beglgani.exe
File created	C:\Windows\SysWOW64\Eifnachf.dll	Cmlcbbcj.exe
File created	C:\Windows\SysWOW64\Dmjapi32.dll	Bffkij32.exe
File created	C:\Windows\SysWOW64\Cnffqf32.exe	Cfpnph32.exe
File opened for modification	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Fnmnbf32.dll	Dhkjej32.exe
File created	C:\Windows\SysWOW64\Mkfdhbpg.dll	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Mmnbeadp.dll	Bapiabak.exe
File opened for modification	C:\Windows\SysWOW64\Caebma32.exe	Cmiflbel.exe
File created	C:\Windows\SysWOW64\Calhnpgn.exe	Cnnlaehj.exe
File created	C:\Windows\SysWOW64\Bilonkon.dll	Cajlhqjp.exe
File created	C:\Windows\SysWOW64\Agjbpg32.dll	Djdmffnn.exe
File created	C:\Windows\SysWOW64\Ddmaok32.exe	Danecp32.exe
File created	C:\Windows\SysWOW64\Gidbim32.dll	Dobfld32.exe
File created	C:\Windows\SysWOW64\Kgngca32.dll	Qjoankoi.exe
File opened for modification	C:\Windows\SysWOW64\Aqppkd32.exe	Anadoi32.exe
File opened for modification	C:\Windows\SysWOW64\Bfkedibe.exe	Bclhhnca.exe
File created	C:\Windows\SysWOW64\Bnbmefbg.exe	Bfkedibe.exe
File created	C:\Windows\SysWOW64\Jffggf32.dll	Ceckcp32.exe
File opened for modification	C:\Windows\SysWOW64\Dobfld32.exe	Dfknkg32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1052	3708	WerFault.exe	165

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anogiicl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Andqdh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajlhqjp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ddmaok32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Acnlgp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Agoabn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajanck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqppkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cabfga32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfbkeh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnkplejl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfiafg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qgcbgo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgbpc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aqncedbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajfhnjhq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bebblb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmlcbbcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbdlf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfdodjhm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dobfld32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dhkjej32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qjoankoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afmhck32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bcoenmao.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfmajipb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	badfce133753a04e97b649315c192b70N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ajckij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anadoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bffkij32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beihma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmiflbel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dddhpjof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aepefb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnmcjg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Beglgani.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ceckcp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Chcddk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmefhako.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmkjkd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bnkgeg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapiabak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cfdhkhjj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Delnin32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dmllipeg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bjmnoi32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmbplc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkedibe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cndikf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baicac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdfkolkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Calhnpgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dodbbdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qmmnjfnl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ampkof32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aclpap32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aeniabfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cnffqf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Danecp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dfknkg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aglemn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aminee32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bclhhnca.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cenahpha.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeobam32.dll"	Qgcbgo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlena32.dll"	Andqdh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Andqdh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cnffqf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chempj32.dll"	badfce133753a04e97b649315c192b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	badfce133753a04e97b649315c192b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoqbfpfe.dll"	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjgghdi.dll"	Aeniabfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfbkeh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alcidkmm.dll"	Dfknkg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhmgki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dknpmdfc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qmmnjfnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bjmnoi32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phiifkjp.dll"	Bmkjkd32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjapi32.dll"	Bffkij32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flgehc32.dll"	Cenahpha.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chokikeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjngmo32.dll"	Cfdhkhjj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnnia32.dll"	Bchomn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfdahne.dll"	Cmiflbel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmiflbel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ceckcp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Djdmffnn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbdlf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiojlkkj.dll"	Aqncedbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfdodjhm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnkgeg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bnbmefbg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmolq32.dll"	Adgbpc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajckij32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ickfifmb.dll"	Aclpap32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clghpklj.dll"	Cnkplejl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dhkjej32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	badfce133753a04e97b649315c192b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgngca32.dll"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmbplc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dobfld32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amfoeb32.dll"	Dodbbdbb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpao32.dll"	Dgbdlf32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ageolo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbandkm.dll"	Bebblb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cfmajipb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bilonkon.dll"	Cajlhqjp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qjoankoi.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cenahpha.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	badfce133753a04e97b649315c192b70N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bclhhnca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Chcddk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeheh32.dll"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ajanck32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkfdhbpg.dll"	Bfkedibe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cnnlaehj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cegdnopg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmnbf32.dll"	Dhkjej32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2528	2812	badfce133753a04e97b649315c192b70N.exe	85
PID 2812 wrote to memory of 2528	2812	badfce133753a04e97b649315c192b70N.exe	85
PID 2812 wrote to memory of 2528	2812	badfce133753a04e97b649315c192b70N.exe	85
PID 2528 wrote to memory of 3404	2528	Qjoankoi.exe	86
PID 2528 wrote to memory of 3404	2528	Qjoankoi.exe	86
PID 2528 wrote to memory of 3404	2528	Qjoankoi.exe	86
PID 3404 wrote to memory of 1580	3404	Qmmnjfnl.exe	87
PID 3404 wrote to memory of 1580	3404	Qmmnjfnl.exe	87
PID 3404 wrote to memory of 1580	3404	Qmmnjfnl.exe	87
PID 1580 wrote to memory of 2456	1580	Qgcbgo32.exe	88
PID 1580 wrote to memory of 2456	1580	Qgcbgo32.exe	88
PID 1580 wrote to memory of 2456	1580	Qgcbgo32.exe	88
PID 2456 wrote to memory of 432	2456	Ajanck32.exe	89
PID 2456 wrote to memory of 432	2456	Ajanck32.exe	89
PID 2456 wrote to memory of 432	2456	Ajanck32.exe	89
PID 432 wrote to memory of 116	432	Ampkof32.exe	90
PID 432 wrote to memory of 116	432	Ampkof32.exe	90
PID 432 wrote to memory of 116	432	Ampkof32.exe	90
PID 116 wrote to memory of 540	116	Adgbpc32.exe	91
PID 116 wrote to memory of 540	116	Adgbpc32.exe	91
PID 116 wrote to memory of 540	116	Adgbpc32.exe	91
PID 540 wrote to memory of 3676	540	Ageolo32.exe	93
PID 540 wrote to memory of 3676	540	Ageolo32.exe	93
PID 540 wrote to memory of 3676	540	Ageolo32.exe	93
PID 3676 wrote to memory of 1748	3676	Ajckij32.exe	94
PID 3676 wrote to memory of 1748	3676	Ajckij32.exe	94
PID 3676 wrote to memory of 1748	3676	Ajckij32.exe	94
PID 1748 wrote to memory of 740	1748	Anogiicl.exe	95
PID 1748 wrote to memory of 740	1748	Anogiicl.exe	95
PID 1748 wrote to memory of 740	1748	Anogiicl.exe	95
PID 740 wrote to memory of 3640	740	Aqncedbp.exe	96
PID 740 wrote to memory of 3640	740	Aqncedbp.exe	96
PID 740 wrote to memory of 3640	740	Aqncedbp.exe	96
PID 3640 wrote to memory of 4088	3640	Aclpap32.exe	97
PID 3640 wrote to memory of 4088	3640	Aclpap32.exe	97
PID 3640 wrote to memory of 4088	3640	Aclpap32.exe	97
PID 4088 wrote to memory of 5072	4088	Ajfhnjhq.exe	99
PID 4088 wrote to memory of 5072	4088	Ajfhnjhq.exe	99
PID 4088 wrote to memory of 5072	4088	Ajfhnjhq.exe	99
PID 5072 wrote to memory of 4580	5072	Anadoi32.exe	100
PID 5072 wrote to memory of 4580	5072	Anadoi32.exe	100
PID 5072 wrote to memory of 4580	5072	Anadoi32.exe	100
PID 4580 wrote to memory of 4884	4580	Aqppkd32.exe	101
PID 4580 wrote to memory of 4884	4580	Aqppkd32.exe	101
PID 4580 wrote to memory of 4884	4580	Aqppkd32.exe	101
PID 4884 wrote to memory of 5048	4884	Acnlgp32.exe	102
PID 4884 wrote to memory of 5048	4884	Acnlgp32.exe	102
PID 4884 wrote to memory of 5048	4884	Acnlgp32.exe	102
PID 5048 wrote to memory of 3936	5048	Afmhck32.exe	103
PID 5048 wrote to memory of 3936	5048	Afmhck32.exe	103
PID 5048 wrote to memory of 3936	5048	Afmhck32.exe	103
PID 3936 wrote to memory of 4732	3936	Andqdh32.exe	104
PID 3936 wrote to memory of 4732	3936	Andqdh32.exe	104
PID 3936 wrote to memory of 4732	3936	Andqdh32.exe	104
PID 4732 wrote to memory of 2228	4732	Aeniabfd.exe	106
PID 4732 wrote to memory of 2228	4732	Aeniabfd.exe	106
PID 4732 wrote to memory of 2228	4732	Aeniabfd.exe	106
PID 2228 wrote to memory of 2172	2228	Aglemn32.exe	107
PID 2228 wrote to memory of 2172	2228	Aglemn32.exe	107
PID 2228 wrote to memory of 2172	2228	Aglemn32.exe	107
PID 2172 wrote to memory of 4572	2172	Ajkaii32.exe	108
PID 2172 wrote to memory of 4572	2172	Ajkaii32.exe	108
PID 2172 wrote to memory of 4572	2172	Ajkaii32.exe	108
PID 4572 wrote to memory of 696	4572	Aminee32.exe	109

C:\Users\Admin\AppData\Local\Temp\badfce133753a04e97b649315c192b70N.exe
"C:\Users\Admin\AppData\Local\Temp\badfce133753a04e97b649315c192b70N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\Qjoankoi.exe
  C:\Windows\system32\Qjoankoi.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\Qmmnjfnl.exe
    C:\Windows\system32\Qmmnjfnl.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\Qgcbgo32.exe
      C:\Windows\system32\Qgcbgo32.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\Ajanck32.exe
        
        C:\Windows\system32\Ajanck32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2456
      - C:\Windows\SysWOW64\Ampkof32.exe
        
        C:\Windows\system32\Ampkof32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\SysWOW64\Adgbpc32.exe
        
        C:\Windows\system32\Adgbpc32.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\SysWOW64\Ageolo32.exe
        
        C:\Windows\system32\Ageolo32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\SysWOW64\Ajckij32.exe
        
        C:\Windows\system32\Ajckij32.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\SysWOW64\Anogiicl.exe
        
        C:\Windows\system32\Anogiicl.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\SysWOW64\Aqncedbp.exe
        
        C:\Windows\system32\Aqncedbp.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\SysWOW64\Aclpap32.exe
        
        C:\Windows\system32\Aclpap32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3640
        
        C:\Windows\SysWOW64\Ajfhnjhq.exe
        
        C:\Windows\system32\Ajfhnjhq.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\Anadoi32.exe
        
        C:\Windows\system32\Anadoi32.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
        
        C:\Windows\SysWOW64\Aqppkd32.exe
        
        C:\Windows\system32\Aqppkd32.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\SysWOW64\Acnlgp32.exe
        
        C:\Windows\system32\Acnlgp32.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\SysWOW64\Afmhck32.exe
        
        C:\Windows\system32\Afmhck32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\Andqdh32.exe
        
        C:\Windows\system32\Andqdh32.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\Aeniabfd.exe
        
        C:\Windows\system32\Aeniabfd.exe
        19⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\SysWOW64\Aglemn32.exe
        
        C:\Windows\system32\Aglemn32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\Windows\SysWOW64\Ajkaii32.exe
        
        C:\Windows\system32\Ajkaii32.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\SysWOW64\Aminee32.exe
        
        C:\Windows\system32\Aminee32.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\SysWOW64\Aepefb32.exe
        
        C:\Windows\system32\Aepefb32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:696
        
        C:\Windows\SysWOW64\Agoabn32.exe
        
        C:\Windows\system32\Agoabn32.exe
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Windows\SysWOW64\Bjmnoi32.exe
        
        C:\Windows\system32\Bjmnoi32.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\Bmkjkd32.exe
        
        C:\Windows\system32\Bmkjkd32.exe
        26⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\Bebblb32.exe
        
        C:\Windows\system32\Bebblb32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\Bfdodjhm.exe
        
        C:\Windows\system32\Bfdodjhm.exe
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3032
        
        C:\Windows\SysWOW64\Bnkgeg32.exe
        
        C:\Windows\system32\Bnkgeg32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\Baicac32.exe
        
        C:\Windows\system32\Baicac32.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\Bchomn32.exe
        
        C:\Windows\system32\Bchomn32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\Bffkij32.exe
        
        C:\Windows\system32\Bffkij32.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2140
        
        C:\Windows\SysWOW64\Bnmcjg32.exe
        
        C:\Windows\system32\Bnmcjg32.exe
        33⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3764
        
        C:\Windows\SysWOW64\Beglgani.exe
        
        C:\Windows\system32\Beglgani.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Windows\SysWOW64\Bgehcmmm.exe
        
        C:\Windows\system32\Bgehcmmm.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\SysWOW64\Bfhhoi32.exe
        
        C:\Windows\system32\Bfhhoi32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        
        PID:516
        
        C:\Windows\SysWOW64\Bmbplc32.exe
        
        C:\Windows\system32\Bmbplc32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3204
        
        C:\Windows\SysWOW64\Beihma32.exe
        
        C:\Windows\system32\Beihma32.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4908
        
        C:\Windows\SysWOW64\Bclhhnca.exe
        
        C:\Windows\system32\Bclhhnca.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Bfkedibe.exe
        
        C:\Windows\system32\Bfkedibe.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2180
        
        C:\Windows\SysWOW64\Bnbmefbg.exe
        
        C:\Windows\system32\Bnbmefbg.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2668
        
        C:\Windows\SysWOW64\Bapiabak.exe
        
        C:\Windows\system32\Bapiabak.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Windows\SysWOW64\Bcoenmao.exe
        
        C:\Windows\system32\Bcoenmao.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3696
        
        C:\Windows\SysWOW64\Cfmajipb.exe
        
        C:\Windows\system32\Cfmajipb.exe
        44⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\Cndikf32.exe
        
        C:\Windows\system32\Cndikf32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\SysWOW64\Cabfga32.exe
        
        C:\Windows\system32\Cabfga32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\Cenahpha.exe
        
        C:\Windows\system32\Cenahpha.exe
        47⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\Cfpnph32.exe
        
        C:\Windows\system32\Cfpnph32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2964
        
        C:\Windows\SysWOW64\Cnffqf32.exe
        
        C:\Windows\system32\Cnffqf32.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\Cmiflbel.exe
        
        C:\Windows\system32\Cmiflbel.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1484
        
        C:\Windows\SysWOW64\Caebma32.exe
        
        C:\Windows\system32\Caebma32.exe
        51⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Windows\SysWOW64\Chokikeb.exe
        
        C:\Windows\system32\Chokikeb.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:232
        
        C:\Windows\SysWOW64\Cfbkeh32.exe
        
        C:\Windows\system32\Cfbkeh32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\Cmlcbbcj.exe
        
        C:\Windows\system32\Cmlcbbcj.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\Ceckcp32.exe
        
        C:\Windows\system32\Ceckcp32.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\Cdfkolkf.exe
        
        C:\Windows\system32\Cdfkolkf.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:396
        
        C:\Windows\SysWOW64\Cfdhkhjj.exe
        
        C:\Windows\system32\Cfdhkhjj.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\Cnkplejl.exe
        
        C:\Windows\system32\Cnkplejl.exe
        58⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\Cajlhqjp.exe
        
        C:\Windows\system32\Cajlhqjp.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Chcddk32.exe
        
        C:\Windows\system32\Chcddk32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\Cnnlaehj.exe
        
        C:\Windows\system32\Cnnlaehj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Calhnpgn.exe
        
        C:\Windows\system32\Calhnpgn.exe
        62⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\Cegdnopg.exe
        
        C:\Windows\system32\Cegdnopg.exe
        63⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\Dfiafg32.exe
        
        C:\Windows\system32\Dfiafg32.exe
        64⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4948
        
        C:\Windows\SysWOW64\Djdmffnn.exe
        
        C:\Windows\system32\Djdmffnn.exe
        65⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\Danecp32.exe
        
        C:\Windows\system32\Danecp32.exe
        66⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4368
        
        C:\Windows\SysWOW64\Ddmaok32.exe
        
        C:\Windows\system32\Ddmaok32.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\Dfknkg32.exe
        
        C:\Windows\system32\Dfknkg32.exe
        68⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
        
        C:\Windows\SysWOW64\Dobfld32.exe
        
        C:\Windows\system32\Dobfld32.exe
        69⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\Dmefhako.exe
        
        C:\Windows\system32\Dmefhako.exe
        70⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        
        PID:220
        
        C:\Windows\SysWOW64\Delnin32.exe
        
        C:\Windows\system32\Delnin32.exe
        71⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Dhkjej32.exe
        
        C:\Windows\system32\Dhkjej32.exe
        72⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\Dodbbdbb.exe
        
        C:\Windows\system32\Dodbbdbb.exe
        73⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4740
        
        C:\Windows\SysWOW64\Deokon32.exe
        
        C:\Windows\system32\Deokon32.exe
        74⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\Dhmgki32.exe
        
        C:\Windows\system32\Dhmgki32.exe
        75⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\Dddhpjof.exe
        
        C:\Windows\system32\Dddhpjof.exe
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\Dgbdlf32.exe
        
        C:\Windows\system32\Dgbdlf32.exe
        77⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\Dknpmdfc.exe
        
        C:\Windows\system32\Dknpmdfc.exe
        78⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\Dmllipeg.exe
        
        C:\Windows\system32\Dmllipeg.exe
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3708
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3708 -s 404
        80⤵
        Program crash
        
        PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3708 -ip 3708
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aclpap32.exe

Filesize
81KB

MD5
b2c567a6c6a71140f9e73c2f2b102adb

SHA1
e43e9ce4d9ad4dada64aceb086b71df99b242be4

SHA256
f0c0a029274eb72ad923cb74870271a10f2dc194df4468660f5fb316e67c8dee

SHA512
3a70d393405ee19e827b24bf56f6a9aa505e29bb166e339f57f53282330b6355927a41048d11b644da10f3d12e986163fc64384245ec010f9ef9dcb1596a1e6b

Download Submit
C:\Windows\SysWOW64\Acnlgp32.exe

Filesize
81KB

MD5
39e5fd2229b778b89bb4d50d40be451f

SHA1
592cc51a41c5d18fb36639ce5a703de038a1c6da

SHA256
c4b994a849d233bc5d443dd879b06b294d0425f3b248b47510903a398ba77433

SHA512
156dc0882f194df8cb47a6a43ffc85600ebe9fdc604d40fc2ca004828723401a0dce9cad4964fb37cd7f801197c82540f7151e3501d2d8acbe0e34da676c8ffb

Download Submit
C:\Windows\SysWOW64\Adgbpc32.exe

Filesize
81KB

MD5
8e392ea5457572a0c40833433f068d59

SHA1
daae19bd719ffa60c738eeb06d8e62f94ef19d56

SHA256
f57d40ffa3dbb939fd72d8a7e460ff0f9cb4a40e49cc8f7a33c3bc4af76e40e8

SHA512
94c5ea7f32d476892035f8f1eebb27e8e6936c7c9379eb9bd944f1bb80a363a4cfff7dcf8da9b5fb496130b426c7ddb035cd87d5ab8e2936053d4b3a815cac88

Download Submit
C:\Windows\SysWOW64\Aeniabfd.exe

Filesize
81KB

MD5
0861f25db9739fa8c7e3e09455ba45d1

SHA1
b74fe74a9cb329051e767edef6d8f86f24bf487c

SHA256
db20734bc3c314e8b989623f261005f0e617f62cc4f9c760faab0a2fa7ff942d

SHA512
f647cbca03c623fc9771953817d08002df4515f9a2830e29d2f77411563c61879459d397d1e87ad45d8aeae03bd7fcd37c22812fca285ea27b84bf5b4dfa79d1

Download Submit
C:\Windows\SysWOW64\Aepefb32.exe

Filesize
81KB

MD5
b72eb33402d9013ee1a0d774eb4def96

SHA1
be80a774c8d5b5abf5966db99d9122c4da55a5bf

SHA256
4c0929ddfbbecee79390b241db4a5c46ed3264420a59bbcdf1657fabda3f237a

SHA512
13d7f027136f34ba403ac797892491e333387ae078827f4438cf1aba4f4eb6ad02ac6f8840bfdafb50d428aefd41b9b203ada74c8fb88c66da297b6ef684c7bb

Download Submit
C:\Windows\SysWOW64\Afmhck32.exe

Filesize
81KB

MD5
109106d6a3cf38e0d1a451395f114105

SHA1
71fedc0295f8df9ffaf0a108247e6a9f7e8258c1

SHA256
ead7f21af5687973d15733b1bcee5916cd7d99157518010a1bef041715e38636

SHA512
4f3f51078dd7b7491bef83d7291c0a8ea955daf89c019688c0506eb16052b56d381643fdc2abb7a41b471fa77f3951cd8afe191b58748efb72b77b0e79b55bee

Download Submit
C:\Windows\SysWOW64\Ageolo32.exe

Filesize
81KB

MD5
4206b8e8de8277c9820734c75c20d5cb

SHA1
18a314937385d20756d523d92fc467b9d2e11fb4

SHA256
9af215e8bd7e66dce60610acd1132df9d80db953b05821267fcc61bf757aea5c

SHA512
c5bf8aa131501522dc48d02b4ccc203cdc173813ee43068b3e97e8ee926b19fcc734011ae5b2a023ba1a42848ecf74fedee9d40484fc6ae4cc527d9691b4d094

Download Submit
C:\Windows\SysWOW64\Aglemn32.exe

Filesize
81KB

MD5
9e991f7face670345572fe823c944ce3

SHA1
26a7d0a31bad807845508bcfd7b3ed194901eafc

SHA256
e5f69a5b1d014d27b4c3d11bde7b7fdb822b804cf79f27a1a2c79b396c105435

SHA512
ee17d9774cea7c11600eaa6f0a5fbff23f8ae27ebe424ed349b3dfcb617c8d07f4424757c4b9af401c1338c30a8b4a52349732d78716df9c2d4a70aa59703110

Download Submit
C:\Windows\SysWOW64\Agoabn32.exe

Filesize
81KB

MD5
295cdc4fcc0e80166a6b094568b9a8eb

SHA1
bb78e4df74de8e2ca2e8e0eb008a98e8f33fe554

SHA256
00dea52211f65650e3db4cac7a5f0161cc866bbebdf2f423d1e5e9e0233ea6a0

SHA512
a7a5652253ad8a0d3e9571380af749ace263b67f51e25dfeaab3ce14e973339ee1b01925d67fd641359455fd2e107093c6545d6116fc450acfac945488fa7359

Download Submit
C:\Windows\SysWOW64\Ajanck32.exe

Filesize
81KB

MD5
12f8d667d5431f1093a3062b4b3962bd

SHA1
4e000eb27cc8073d254e7738a6a4dcf07821971d

SHA256
b4ac46afa70bd22f8b6a64f29ee94b0deec1aca1840f305c13d217f36f7d0faa

SHA512
6f5c7d04726483c5d3b7a13f4ac35579f513d2862986239f64621df6bc254b4f9ed08d10ab47abf2265ec5e0c573eb344d3d1132d94aafa402a48cd2e83a47c2

Download Submit
C:\Windows\SysWOW64\Ajckij32.exe

Filesize
81KB

MD5
a6d664de5796fafd72ff94ebd5e50469

SHA1
23bb9af8dd2ce4fdf6447d30917822e569cbee8e

SHA256
5bc7308bd4ef2c65ead8b3e08551911df7e837fb29c985c5cacad48f518cc0b0

SHA512
3f6da25d2b85b7f9df3362c219cc00e84c0416b25fc95b4855c2417ef733466191908d0890a2b7e1ee0d07e53f2b6ef09e5f116d77bced28e89e2590bea4ab0c

Download Submit
C:\Windows\SysWOW64\Ajfhnjhq.exe

Filesize
81KB

MD5
615dc1e098e80a970c4ad608326fc7a1

SHA1
f520ad6ee78742bd78175fc2f0a655f383d5ce40

SHA256
99bd481f8a57a02ec309c9232f64129f84616c9adee955b718f9e45440249eec

SHA512
a17447bac06f0ebcae69960683efbc1d38b1e5d61545befa1127e44927edf1baadf93c56cb9363873e06db03075dda250cc14b691e116639ad6fb1ba2a266506

Download Submit
C:\Windows\SysWOW64\Ajkaii32.exe

Filesize
81KB

MD5
86a2b103771c5793f62497267c8336b2

SHA1
6a9e2b1d43230b31b047854446de9ffdee2b1f18

SHA256
d82a0006423e36895176e7feadf144f0c39f18b533f2d4e8debb271bb5c2a212

SHA512
e5a4f836bbb7bbdd644d95cfa15d0783f8d84e3fc9c0c0db3e3b2fc56fb1d9c189a8a85f39264995ae995fcb5d6341c4f3e6958d563093b8d1646bd61d4018d3

Download Submit
C:\Windows\SysWOW64\Aminee32.exe

Filesize
81KB

MD5
c0b0b75d2cd20cbb5b1aee0730c1e4ad

SHA1
f1b05da894ac2719d58ca43edfae91d8fd91e5bd

SHA256
dee3cf25a0b30ecb6d1f48261201ba2d5e9e4e211e835426097cfd1f50eb9e8d

SHA512
8fcd267369b06affb805daf8dbe68ca367e8474e672d3c0a8b26f06573be7746580dfd20921c4f1c479535031e166b29718ecb9c0d6008df33f38c0fdf3c5ded

Download Submit
C:\Windows\SysWOW64\Ampkof32.exe

Filesize
81KB

MD5
43756f19002b62f43d01a74acb139c60

SHA1
1b13f8f2bf265bb0155c73193a80f9f7bcad0bbd

SHA256
6a68b513e8f246b84c49393e72104e7ad9e99515403ee8eab26955e78c5ef8e6

SHA512
ab2c8ab155e9ad942e263588ba7a46493ef372763a14470a19cb2720fdb247f67e97d2a9d74d9973442f1c93dd0d3a4786aeb36d4bc4ec963d85f22a85346b78

Download Submit
C:\Windows\SysWOW64\Anadoi32.exe

Filesize
81KB

MD5
48bf746303ea3f95b9118502dac664b3

SHA1
8c825bc12ebcfe716b1aaa6c8105fd7c4977db4a

SHA256
7a93daafb03b8ec891a85414fc7617d874b4adb357056cb952a8fb44f72e8c89

SHA512
032e725bf2215a86392a3c23654ef78265120b754d7ed5eb7a6513bed6adc1644c4aa2b478849db5ffcae26d583c19ca3c0c8e33f41539711e9d10a58cb1073a

Download Submit
C:\Windows\SysWOW64\Andqdh32.exe

Filesize
81KB

MD5
5210e5a143eb85f478d532065cb4b5a0

SHA1
d2c4d72f3657a4f667e95210d5876bf6acf41b8d

SHA256
0ec12de69fa5078bfdf84d93ce7fa26853af4cdfc963da5d03f2a8333a48eb11

SHA512
8f39f5a933255ea070b7910bbeb2ae4c64f0d6a1d8d478a7b619cfc882e9c8d7b181b251f40995d941759419d4e7676e8578fa97581fa6cd75df2471f6f74e37

Download Submit
C:\Windows\SysWOW64\Anogiicl.exe

Filesize
81KB

MD5
24192446bafa47c451ec16756b47bf5f

SHA1
105ce2e3e249f76e8ac0a69cb1bb568d6cd75a7a

SHA256
d76fbebc2d612065c6ac893d7a4bbc9f20fa6f3d8f7719773c727dd56a204214

SHA512
693816d3337d50d3dfa77bccf19b0ce68e6823de0675a98cba4a7d9ec6aa5f0a7802fe5cfac7aff485d6a39ec12bd2502fa13875b936e62dc1ad470157ea5b65

Download Submit
C:\Windows\SysWOW64\Aqncedbp.exe

Filesize
81KB

MD5
dbbb107ba72c9b4d51846efc15e6017c

SHA1
4b63513c22f3feedd3943f442f55e1fac6b5c6b8

SHA256
74d85257954d0a4a9b0e04d92549261b57514083ed53c946a8ea1d8bb7095840

SHA512
0005316230e3da27a51299e050c85a4077d925792927d1d12823e85d7ffb864be72b1110d87a53651338c15101684389e428c6b1ad371e90b69e2e77aea5c11b

Download Submit
C:\Windows\SysWOW64\Aqppkd32.exe

Filesize
81KB

MD5
d201bc975455a1f2e4203e4de3e966e6

SHA1
43c564161b80af0b291cfe184d0bde398a49b257

SHA256
c83ee9c04c42e8fe3ce9c6b5a5ce27a0d7e72bfd922b646bf9a909a251186ad9

SHA512
8b3536e000dd02a3357bfb0305e9f518cb36e845332b0d446adc6b522e1a36258fef4c0682f4d6bc9cf4252cc4f8857abcbb93ccccac20e5b71c1fb781ed7ccd

Download Submit
C:\Windows\SysWOW64\Baicac32.exe

Filesize
81KB

MD5
436a4ed1a0fdcbc502e0e894cfeeeaf9

SHA1
c9642bcb2aa36507b1f6207ac630e168d95e977b

SHA256
3501f87fa943cfff61bc94e309428c40bde14d59884869ad22ee0ea5f035ea38

SHA512
e0d08eecd67112cdb3095d9676b0c7c0e6c55e646df3ebb79bde35313d20e1d7061ecf838e14c9a137ed5991c06be614a6b09c9bec9019a1fee384a88e201508

Download Submit
C:\Windows\SysWOW64\Bchomn32.exe

Filesize
81KB

MD5
19d0fdcc29e1bf436d3a3354a376465a

SHA1
2e0f62cbde8401a5b8d198f32680213593540e23

SHA256
cff08737c982904e3615cd857ef66003b0e437fa6db0012cb25fa822940b5515

SHA512
7540aec338c1b1550669c6220557cf38728eb42dfa92f6ab0c97ef1067a87630ea3a5bb1146fc3157040547328289116648cfbc0f1571afdfc92ec068dc143f9

Download Submit
C:\Windows\SysWOW64\Bebblb32.exe

Filesize
81KB

MD5
65bec529a8fc3ebfd880c44309549792

SHA1
92c05cc60ef640c0885d95fea27242d35ef847e5

SHA256
c8c28c9a380f8f6df901a073e836429531dc15d9c80054a9873f7faf29918cbe

SHA512
125e91179d9db151c99f120cd3ee3296e803cffcdf0f95fc8e1e061cde87a3f7d96039e187e8cfbb362d9203963b573197c657b9ec9464caa5613f9a91d2935e

Download Submit
C:\Windows\SysWOW64\Bfdodjhm.exe

Filesize
81KB

MD5
ddeeed28b806acf2797bdc3982be20ab

SHA1
c6d1e2471be90b7eb691c34510e5123786fcee72

SHA256
9356b5099062370ad1ac3985f5845c1f14fe2c2d63d1fd01ed928723e45ba665

SHA512
020877b0cfde01c908cb7533e9ff5351266ebff5991f53c73faa75ad187c1a5269a43c7d9cdded889fa35e0909c9933bb871390e4bd074c4a8417bd7f397a11b

Download Submit
C:\Windows\SysWOW64\Bffkij32.exe

Filesize
81KB

MD5
8bc084dfecb65cd4a0e87adccda4b6ac

SHA1
af824e19483ac72787e2fa0c8e3cbcbb0110384a

SHA256
c0491758e8bddeb64c8e6c61e247bcf7d8f56935b34fbf020f06f6a65f146d3b

SHA512
14c215ac851bcef901168f2d18956533a123a658665e74b904788c3f584ac576c6bc754d90ebf9e2de6cc249c4e5d954bd1ece7f8f3ee3e47077350448055647

Download Submit
C:\Windows\SysWOW64\Bjmnoi32.exe

Filesize
81KB

MD5
5c278f9fb18d34656761f91ef2bdc5d4

SHA1
cf62d2ab4dd41e887bb6a54ba764b0a947e48256

SHA256
2ef30630e8e3b6f19795bf0a2d039d4a9a57f51e2ce072942710bf169b686ffb

SHA512
c06217a77adf6e7963acbf2923ee2fe809d8b1b356b82714ed6a6c316f54046d6b2ccf29b39ab6028ccdf47dfc9a39b2d762074812d2d15d7883471dc9ffb124

Download Submit
C:\Windows\SysWOW64\Bmkjkd32.exe

Filesize
81KB

MD5
04d32c6588a30d1c0919768577010438

SHA1
ebfd1f5fa21e026dfd279c9bcec6d4e180b60b59

SHA256
e86fc834619e7137c80e2fb586777f3c381d4c0f8242f3c8be861416ba5f7348

SHA512
254c1767da9e1a36e465f2afed151fb31986dacddf9634048c0a185674d95f9dde4b7070dd249d661d7188adf3dffb2904692cfd0d87f64a47c6de5b7c6d8be6

Download Submit
C:\Windows\SysWOW64\Bnkgeg32.exe

Filesize
81KB

MD5
588bc5bdb373238141b6609f111ece7d

SHA1
f0827dabcea3254abf6d33ad52cbcc52b3e6813a

SHA256
3e6650d60bf48c28fa6784e5e66e0eb3dd8c7a95fced567b0c31263ee03f03a5

SHA512
001b998dbe265edc96275da3951aaf47bcd766c3cd93378128ee99600941ee21f6bafea680362cb52582f6fb56cf97daf865bd1b6b446c3165f54f42ba7e71ac

Download Submit
C:\Windows\SysWOW64\Bnmcjg32.exe

Filesize
81KB

MD5
e3d70738b05a10f34e6431b1e244b01a

SHA1
56d6e2de404c8cb21071bbb37422292e1faf703f

SHA256
ad57409f5ba962e0b126d8db3a4a960488992696bcd3392a476d8c060fb8c891

SHA512
8b8f9a9d3428b3517cca8c1ff5c0377acc43329fa0e1ea43b4c0776ba894d3d087144c16dc12bf946855cb6fb97028bf2bc57e46aeea6e607607d4b00116ca06

Download Submit
C:\Windows\SysWOW64\Danecp32.exe

Filesize
81KB

MD5
44aa5a1483bfdaabfc5ed63ec17bd086

SHA1
35b1ccbdd0ba070f6afbaf77a2ce2209d1c4520e

SHA256
d4e288b963a571aa147f569b00475da47d235583e1839660590ab712ba74d811

SHA512
2c079f1cd607c4272c6309b93b5c228a84bd33d2a62b6f35a5491581ff1185cb046aea0f96fdd5ede7def317f4f04d3e20bcdab29aceeb23072558cab5dd952b

Download Submit
C:\Windows\SysWOW64\Dobfld32.exe

Filesize
81KB

MD5
94c9a2e4688dbe73f69f7b72406caf49

SHA1
5ad7a9f1413fe36431d427a60cd4d74299852cd5

SHA256
96f26e49bf5709b6597b8d2535ba567f49764a88f38189d8e5a8b81c5358732e

SHA512
8bd31d0821239e27d58f39fccfacc228236ddf6b6d61e6ef193d76c68d95a2045cdce0f034903801d5aca07ac7993480ef96ae847191ae5493417c00dc00a6f8

Download Submit
C:\Windows\SysWOW64\Qgcbgo32.exe

Filesize
81KB

MD5
9dc5503b6e86d0dc06b70c6d4ca20523

SHA1
510bb71048ca9eab8f01195bb398159b31598029

SHA256
7e84790ff422014552b277004b549f8bcd7ecc9dcac915ea9007bfef5120a4fe

SHA512
6cad4a9ea1914ef498588da318bcb47a9bda58a3373ed31158d47c8aba034b33c1064a99419cbfc256dcf2f1c034cb6cfa393e9493b96adb938db588f524ca53

Download Submit
C:\Windows\SysWOW64\Qjoankoi.exe

Filesize
81KB

MD5
e9295f5b61cee5de8fb3ea9588374a1d

SHA1
4a1cf00e6f71ed118a0db8cf148a75b1d43a7d40

SHA256
72ae1a6302e0dc25af6d0f6920483dddf7c0b6eea34cd4f97786dcd5bcaa27ba

SHA512
6c8402e3c4b19d85752066c42a39ccba03fa1960f0dbc2a5d87fe4513e649355392b0948e35cd8399bded1c77c9afc44e9d8821ece2f12f5ed1372bb3f84ea6a

Download Submit
C:\Windows\SysWOW64\Qmmnjfnl.exe

Filesize
81KB

MD5
682d8924617b2090eac855734cd94495

SHA1
2d645b3eb25aabad8970b0f930de443c7f574b6e

SHA256
6e3cdb585b96bfd78bf5f2d1154fe505510f9d2ab6565e2e0ebf9d8b4c7edf4b

SHA512
6b5359747a01a65b8a66e26aac20d9604a97c97d411a8b056456885dbc753362ae26756db7b6fb9741329495a92e64f5f02ae92d3a9b4ae345915c2884604f44

Download Submit
memory/116-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-479-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/220-553-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/232-371-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/396-395-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/432-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/516-275-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/540-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/696-176-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/740-80-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/976-335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1360-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-241-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1484-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1488-435-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1492-293-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1560-311-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1580-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1748-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1952-419-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-232-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2140-248-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2144-425-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2172-160-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2180-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2228-153-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2312-189-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2456-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2528-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2640-329-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-461-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2644-559-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-305-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2776-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2812-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2812-534-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-449-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-563-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2964-347-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3032-216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-208-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-411-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-503-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3148-545-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3204-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-491-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3208-549-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-263-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3404-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3440-365-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-543-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3556-509-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3640-88-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3676-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-321-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-533-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-537-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3764-257-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3848-393-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3936-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3952-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4088-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4188-193-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4312-225-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4320-525-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4368-561-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4436-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-538-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4568-527-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4572-168-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4580-112-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-541-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4600-515-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4720-341-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4732-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-547-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4740-497-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4756-323-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4780-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4828-401-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4860-353-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-566-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4880-437-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4884-120-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4908-287-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-555-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4916-473-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4948-447-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-485-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4988-551-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5048-128-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-104-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5104-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads