7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7

Analysis

max time kernel
125s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 19:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
Size

377KB
MD5

ebd49197022f173f637b842e47cfbc90
SHA1

aa83330639627b9ebc1ca22baca7d875d7b334f1
SHA256

7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7
SHA512

8a22fd2f258f9911e6d7388c0094b759c8e43b479e7bfc2a3887ac18d4abfe1e323f7c3e3d48e9017c6f863db0245533b7fb5275d64a7fe71d96150c5aac3b6b
SSDEEP

6144:at22aYlugiNaGSgnohijgAUv5fKx/SgnohignC5V:aM2qdMTv5i1dayV

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bapgdm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bpjmph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afhfaddk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bigbmpco.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Baepolni.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbhildae.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afappe32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adgmoigj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cgmhcaac.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dinael32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Banjnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ckbncapd.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ciihjmcj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpacqg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bdocph32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Babcil32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bbfmgd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmnnimak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckdkhq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cmgqpkip.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bmidnm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qfmfefni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Afappe32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aalmimfd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adjjeieh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdhffg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Dgpeha32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aabkbono.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Aibibp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Adgmoigj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Affikdfn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bdapehop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckidcpjl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bfkbfd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cpogkhnl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ccmcgcmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Daeifj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Bmidnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ckggnp32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cbkfbcpb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Cacmpj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Adjjeieh.exe

Executes dropped EXE 60 IoCs

pid	Process
4600	Qfmfefni.exe
116	Aabkbono.exe
1520	Afappe32.exe
4856	Aagdnn32.exe
4024	Abhqefpg.exe
1512	Aibibp32.exe
1048	Aplaoj32.exe
1376	Adgmoigj.exe
548	Affikdfn.exe
4372	Aidehpea.exe
4496	Aalmimfd.exe
4928	Adjjeieh.exe
3904	Afhfaddk.exe
2676	Bigbmpco.exe
4676	Banjnm32.exe
4204	Bdlfjh32.exe
4448	Bfkbfd32.exe
5024	Biiobo32.exe
1956	Bapgdm32.exe
1136	Bdocph32.exe
3124	Bfmolc32.exe
2012	Biklho32.exe
3576	Babcil32.exe
5000	Bdapehop.exe
4020	Bfolacnc.exe
3596	Bmidnm32.exe
3960	Baepolni.exe
1680	Bbfmgd32.exe
3788	Bmladm32.exe
1204	Bpjmph32.exe
3364	Bbhildae.exe
4476	Ckpamabg.exe
4228	Cmnnimak.exe
1736	Cajjjk32.exe
852	Cdhffg32.exe
5080	Cbkfbcpb.exe
1600	Ckbncapd.exe
1644	Cmpjoloh.exe
3496	Cpogkhnl.exe
3308	Ccmcgcmp.exe
3048	Ckdkhq32.exe
2516	Cmbgdl32.exe
3316	Cpacqg32.exe
2940	Cdmoafdb.exe
1592	Ckggnp32.exe
2796	Ciihjmcj.exe
1180	Caqpkjcl.exe
3324	Cdolgfbp.exe
1064	Cgmhcaac.exe
4492	Ckidcpjl.exe
2968	Cmgqpkip.exe
3860	Cacmpj32.exe
3652	Cdaile32.exe
4292	Dgpeha32.exe
1648	Dinael32.exe
5136	Daeifj32.exe
5176	Dphiaffa.exe
5208	Dcffnbee.exe
5248	Dgbanq32.exe
5284	Diqnjl32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ckidcpjl.exe	Cgmhcaac.exe
File created	C:\Windows\SysWOW64\Aplaoj32.exe	Aibibp32.exe
File created	C:\Windows\SysWOW64\Mgmqkimh.dll	Bdlfjh32.exe
File opened for modification	C:\Windows\SysWOW64\Bfolacnc.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Bmidnm32.exe	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Gkbilm32.dll	Cmpjoloh.exe
File opened for modification	C:\Windows\SysWOW64\Ccmcgcmp.exe	Cpogkhnl.exe
File created	C:\Windows\SysWOW64\Bfolacnc.exe	Bdapehop.exe
File created	C:\Windows\SysWOW64\Cgmhcaac.exe	Cdolgfbp.exe
File created	C:\Windows\SysWOW64\Dphiaffa.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Afappe32.exe	Aabkbono.exe
File opened for modification	C:\Windows\SysWOW64\Cmnnimak.exe	Ckpamabg.exe
File created	C:\Windows\SysWOW64\Cbkfbcpb.exe	Cdhffg32.exe
File created	C:\Windows\SysWOW64\Fdakcc32.dll	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Cdolgfbp.exe	Caqpkjcl.exe
File opened for modification	C:\Windows\SysWOW64\Cdolgfbp.exe	Caqpkjcl.exe
File created	C:\Windows\SysWOW64\Bdapehop.exe	Babcil32.exe
File opened for modification	C:\Windows\SysWOW64\Cmpjoloh.exe	Ckbncapd.exe
File opened for modification	C:\Windows\SysWOW64\Affikdfn.exe	Adgmoigj.exe
File opened for modification	C:\Windows\SysWOW64\Aalmimfd.exe	Aidehpea.exe
File created	C:\Windows\SysWOW64\Bigbmpco.exe	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Bfkbfd32.exe	Bdlfjh32.exe
File opened for modification	C:\Windows\SysWOW64\Bapgdm32.exe	Biiobo32.exe
File created	C:\Windows\SysWOW64\Bdocph32.exe	Bapgdm32.exe
File opened for modification	C:\Windows\SysWOW64\Cpacqg32.exe	Cmbgdl32.exe
File created	C:\Windows\SysWOW64\Ckggnp32.exe	Cdmoafdb.exe
File created	C:\Windows\SysWOW64\Caqpkjcl.exe	Ciihjmcj.exe
File opened for modification	C:\Windows\SysWOW64\Dinael32.exe	Dgpeha32.exe
File created	C:\Windows\SysWOW64\Ciihjmcj.exe	Ckggnp32.exe
File created	C:\Windows\SysWOW64\Cacmpj32.exe	Cmgqpkip.exe
File opened for modification	C:\Windows\SysWOW64\Aibibp32.exe	Abhqefpg.exe
File created	C:\Windows\SysWOW64\Bfajnjho.dll	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Afhfaddk.exe	Adjjeieh.exe
File created	C:\Windows\SysWOW64\Fcanfh32.dll	Biklho32.exe
File created	C:\Windows\SysWOW64\Ifcmmg32.dll	Bfolacnc.exe
File created	C:\Windows\SysWOW64\Cajjjk32.exe	Cmnnimak.exe
File opened for modification	C:\Windows\SysWOW64\Dphiaffa.exe	Daeifj32.exe
File opened for modification	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Aabkbono.exe	Qfmfefni.exe
File created	C:\Windows\SysWOW64\Ckpamabg.exe	Bbhildae.exe
File created	C:\Windows\SysWOW64\Fiplni32.dll	Ckggnp32.exe
File opened for modification	C:\Windows\SysWOW64\Ckdkhq32.exe	Ccmcgcmp.exe
File created	C:\Windows\SysWOW64\Daqfhf32.dll	Cpacqg32.exe
File created	C:\Windows\SysWOW64\Diqnjl32.exe	Dgbanq32.exe
File created	C:\Windows\SysWOW64\Bhkhop32.dll	Aibibp32.exe
File created	C:\Windows\SysWOW64\Gnhekleo.dll	Afhfaddk.exe
File created	C:\Windows\SysWOW64\Labnlj32.dll	Bbhildae.exe
File created	C:\Windows\SysWOW64\Dcffnbee.exe	Dphiaffa.exe
File created	C:\Windows\SysWOW64\Lpcgahca.dll	Cdaile32.exe
File created	C:\Windows\SysWOW64\Gpkehj32.dll	Affikdfn.exe
File opened for modification	C:\Windows\SysWOW64\Bfmolc32.exe	Bdocph32.exe
File opened for modification	C:\Windows\SysWOW64\Cdhffg32.exe	Cajjjk32.exe
File opened for modification	C:\Windows\SysWOW64\Abhqefpg.exe	Aagdnn32.exe
File opened for modification	C:\Windows\SysWOW64\Biklho32.exe	Bfmolc32.exe
File created	C:\Windows\SysWOW64\Daeifj32.exe	Dinael32.exe
File created	C:\Windows\SysWOW64\Ncmkcc32.dll	Aabkbono.exe
File created	C:\Windows\SysWOW64\Icifhjkc.dll	Aagdnn32.exe
File created	C:\Windows\SysWOW64\Affikdfn.exe	Adgmoigj.exe
File created	C:\Windows\SysWOW64\Lalceb32.dll	Bfmolc32.exe
File opened for modification	C:\Windows\SysWOW64\Ckbncapd.exe	Cbkfbcpb.exe
File created	C:\Windows\SysWOW64\Cdaile32.exe	Cacmpj32.exe
File created	C:\Windows\SysWOW64\Qfmfefni.exe	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
File created	C:\Windows\SysWOW64\Inmalg32.dll	Qfmfefni.exe
File opened for modification	C:\Windows\SysWOW64\Afhfaddk.exe	Adjjeieh.exe

Program crash 1 IoCs

pid	pid_target	Process
5368	5284	WerFault.exe

System Location Discovery: System Language Discovery 1 TTPs 61 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adgmoigj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Babcil32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dcffnbee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfolacnc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cacmpj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bigbmpco.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biklho32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ccmcgcmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckbncapd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afhfaddk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmladm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cbkfbcpb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aibibp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfkbfd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbhildae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdolgfbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qfmfefni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aagdnn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgbanq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdocph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckdkhq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmbgdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckidcpjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Baepolni.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmnnimak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdhffg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Abhqefpg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdaile32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmgqpkip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dgpeha32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aplaoj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Adjjeieh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bfmolc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bbfmgd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckpamabg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmpjoloh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cgmhcaac.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dinael32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Affikdfn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aalmimfd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdapehop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caqpkjcl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dphiaffa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cdmoafdb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ckggnp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ciihjmcj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpacqg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diqnjl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aabkbono.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Banjnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bpjmph32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bmidnm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Daeifj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aidehpea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Biiobo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bapgdm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afappe32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bdlfjh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cajjjk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cpogkhnl.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aalmimfd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdolgfbp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icifhjkc.dll"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpgfc32.dll"	Bdocph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bfmolc32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnlhmpgg.dll"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aagdnn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll"	Baepolni.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoppdld.dll"	Bbfmgd32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdmoafdb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dgbanq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cajjjk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ccmcgcmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll"	Caqpkjcl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccfme32.dll"	Dgpeha32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adppeapp.dll"	Ckpamabg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ciihjmcj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Dcffnbee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clbidkde.dll"	Cacmpj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aabkbono.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aibibp32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aidehpea.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Bdlfjh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Labnlj32.dll"	Bbhildae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ckbncapd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Aplaoj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Banjnm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll"	Bapgdm32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bmladm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnnldhi.dll"	Cdhffg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdakcc32.dll"	Cbkfbcpb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkodbfgo.dll"	Daeifj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paenokbf.dll"	Aplaoj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Adjjeieh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bfmolc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdolgfbp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bbhildae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmbgdl32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll"	Cgmhcaac.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcgahca.dll"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cpacqg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cmgqpkip.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll"	Cpogkhnl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Cdmoafdb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qfmfefni.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcanfh32.dll"	Biklho32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Babcil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcominjm.dll"	Bpjmph32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Cdaile32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Dcffnbee.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 4600	1820	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe	90
PID 1820 wrote to memory of 4600	1820	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe	90
PID 1820 wrote to memory of 4600	1820	7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe	90
PID 4600 wrote to memory of 116	4600	Qfmfefni.exe	91
PID 4600 wrote to memory of 116	4600	Qfmfefni.exe	91
PID 4600 wrote to memory of 116	4600	Qfmfefni.exe	91
PID 116 wrote to memory of 1520	116	Aabkbono.exe	92
PID 116 wrote to memory of 1520	116	Aabkbono.exe	92
PID 116 wrote to memory of 1520	116	Aabkbono.exe	92
PID 1520 wrote to memory of 4856	1520	Afappe32.exe	93
PID 1520 wrote to memory of 4856	1520	Afappe32.exe	93
PID 1520 wrote to memory of 4856	1520	Afappe32.exe	93
PID 4856 wrote to memory of 4024	4856	Aagdnn32.exe	94
PID 4856 wrote to memory of 4024	4856	Aagdnn32.exe	94
PID 4856 wrote to memory of 4024	4856	Aagdnn32.exe	94
PID 4024 wrote to memory of 1512	4024	Abhqefpg.exe	96
PID 4024 wrote to memory of 1512	4024	Abhqefpg.exe	96
PID 4024 wrote to memory of 1512	4024	Abhqefpg.exe	96
PID 1512 wrote to memory of 1048	1512	Aibibp32.exe	97
PID 1512 wrote to memory of 1048	1512	Aibibp32.exe	97
PID 1512 wrote to memory of 1048	1512	Aibibp32.exe	97
PID 1048 wrote to memory of 1376	1048	Aplaoj32.exe	98
PID 1048 wrote to memory of 1376	1048	Aplaoj32.exe	98
PID 1048 wrote to memory of 1376	1048	Aplaoj32.exe	98
PID 1376 wrote to memory of 548	1376	Adgmoigj.exe	99
PID 1376 wrote to memory of 548	1376	Adgmoigj.exe	99
PID 1376 wrote to memory of 548	1376	Adgmoigj.exe	99
PID 548 wrote to memory of 4372	548	Affikdfn.exe	100
PID 548 wrote to memory of 4372	548	Affikdfn.exe	100
PID 548 wrote to memory of 4372	548	Affikdfn.exe	100
PID 4372 wrote to memory of 4496	4372	Aidehpea.exe	101
PID 4372 wrote to memory of 4496	4372	Aidehpea.exe	101
PID 4372 wrote to memory of 4496	4372	Aidehpea.exe	101
PID 4496 wrote to memory of 4928	4496	Aalmimfd.exe	102
PID 4496 wrote to memory of 4928	4496	Aalmimfd.exe	102
PID 4496 wrote to memory of 4928	4496	Aalmimfd.exe	102
PID 4928 wrote to memory of 3904	4928	Adjjeieh.exe	103
PID 4928 wrote to memory of 3904	4928	Adjjeieh.exe	103
PID 4928 wrote to memory of 3904	4928	Adjjeieh.exe	103
PID 3904 wrote to memory of 2676	3904	Afhfaddk.exe	104
PID 3904 wrote to memory of 2676	3904	Afhfaddk.exe	104
PID 3904 wrote to memory of 2676	3904	Afhfaddk.exe	104
PID 2676 wrote to memory of 4676	2676	Bigbmpco.exe	105
PID 2676 wrote to memory of 4676	2676	Bigbmpco.exe	105
PID 2676 wrote to memory of 4676	2676	Bigbmpco.exe	105
PID 4676 wrote to memory of 4204	4676	Banjnm32.exe	106
PID 4676 wrote to memory of 4204	4676	Banjnm32.exe	106
PID 4676 wrote to memory of 4204	4676	Banjnm32.exe	106
PID 4204 wrote to memory of 4448	4204	Bdlfjh32.exe	107
PID 4204 wrote to memory of 4448	4204	Bdlfjh32.exe	107
PID 4204 wrote to memory of 4448	4204	Bdlfjh32.exe	107
PID 4448 wrote to memory of 5024	4448	Bfkbfd32.exe	108
PID 4448 wrote to memory of 5024	4448	Bfkbfd32.exe	108
PID 4448 wrote to memory of 5024	4448	Bfkbfd32.exe	108
PID 5024 wrote to memory of 1956	5024	Biiobo32.exe	109
PID 5024 wrote to memory of 1956	5024	Biiobo32.exe	109
PID 5024 wrote to memory of 1956	5024	Biiobo32.exe	109
PID 1956 wrote to memory of 1136	1956	Bapgdm32.exe	110
PID 1956 wrote to memory of 1136	1956	Bapgdm32.exe	110
PID 1956 wrote to memory of 1136	1956	Bapgdm32.exe	110
PID 1136 wrote to memory of 3124	1136	Bdocph32.exe	111
PID 1136 wrote to memory of 3124	1136	Bdocph32.exe	111
PID 1136 wrote to memory of 3124	1136	Bdocph32.exe	111
PID 3124 wrote to memory of 2012	3124	Bfmolc32.exe	112

C:\Users\Admin\AppData\Local\Temp\7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe
"C:\Users\Admin\AppData\Local\Temp\7a004fbdd71a4d50e351c7038cec65bc21e1e8cec59cc7fdf442c473219230d7.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\Qfmfefni.exe
  C:\Windows\system32\Qfmfefni.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\SysWOW64\Aabkbono.exe
    C:\Windows\system32\Aabkbono.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:116
  - - C:\Windows\SysWOW64\Afappe32.exe
      C:\Windows\system32\Afappe32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\Aagdnn32.exe
        
        C:\Windows\system32\Aagdnn32.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4856
      - C:\Windows\SysWOW64\Abhqefpg.exe
        
        C:\Windows\system32\Abhqefpg.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4024
        
        C:\Windows\SysWOW64\Aibibp32.exe
        
        C:\Windows\system32\Aibibp32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\SysWOW64\Aplaoj32.exe
        
        C:\Windows\system32\Aplaoj32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\Adgmoigj.exe
        
        C:\Windows\system32\Adgmoigj.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\SysWOW64\Affikdfn.exe
        
        C:\Windows\system32\Affikdfn.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\SysWOW64\Aidehpea.exe
        
        C:\Windows\system32\Aidehpea.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\SysWOW64\Aalmimfd.exe
        
        C:\Windows\system32\Aalmimfd.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\SysWOW64\Adjjeieh.exe
        
        C:\Windows\system32\Adjjeieh.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\SysWOW64\Afhfaddk.exe
        
        C:\Windows\system32\Afhfaddk.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\SysWOW64\Bigbmpco.exe
        
        C:\Windows\system32\Bigbmpco.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\Banjnm32.exe
        
        C:\Windows\system32\Banjnm32.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\SysWOW64\Bdlfjh32.exe
        
        C:\Windows\system32\Bdlfjh32.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\SysWOW64\Bfkbfd32.exe
        
        C:\Windows\system32\Bfkbfd32.exe
        18⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\SysWOW64\Biiobo32.exe
        
        C:\Windows\system32\Biiobo32.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\SysWOW64\Bapgdm32.exe
        
        C:\Windows\system32\Bapgdm32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\SysWOW64\Bdocph32.exe
        
        C:\Windows\system32\Bdocph32.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\SysWOW64\Bfmolc32.exe
        
        C:\Windows\system32\Bfmolc32.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\SysWOW64\Biklho32.exe
        
        C:\Windows\system32\Biklho32.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\Babcil32.exe
        
        C:\Windows\system32\Babcil32.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\Bdapehop.exe
        
        C:\Windows\system32\Bdapehop.exe
        25⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5000
        
        C:\Windows\SysWOW64\Bfolacnc.exe
        
        C:\Windows\system32\Bfolacnc.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4020
        
        C:\Windows\SysWOW64\Bmidnm32.exe
        
        C:\Windows\system32\Bmidnm32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3596
        
        C:\Windows\SysWOW64\Baepolni.exe
        
        C:\Windows\system32\Baepolni.exe
        28⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\Bbfmgd32.exe
        
        C:\Windows\system32\Bbfmgd32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\Bmladm32.exe
        
        C:\Windows\system32\Bmladm32.exe
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3788
        
        C:\Windows\SysWOW64\Bpjmph32.exe
        
        C:\Windows\system32\Bpjmph32.exe
        31⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\Bbhildae.exe
        
        C:\Windows\system32\Bbhildae.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3364
        
        C:\Windows\SysWOW64\Ckpamabg.exe
        
        C:\Windows\system32\Ckpamabg.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4476
        
        C:\Windows\SysWOW64\Cmnnimak.exe
        
        C:\Windows\system32\Cmnnimak.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4228
        
        C:\Windows\SysWOW64\Cajjjk32.exe
        
        C:\Windows\system32\Cajjjk32.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\Cdhffg32.exe
        
        C:\Windows\system32\Cdhffg32.exe
        36⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\Cbkfbcpb.exe
        
        C:\Windows\system32\Cbkfbcpb.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\Ckbncapd.exe
        
        C:\Windows\system32\Ckbncapd.exe
        38⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1600
        
        C:\Windows\SysWOW64\Cmpjoloh.exe
        
        C:\Windows\system32\Cmpjoloh.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1644
        
        C:\Windows\SysWOW64\Cpogkhnl.exe
        
        C:\Windows\system32\Cpogkhnl.exe
        40⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\Ccmcgcmp.exe
        
        C:\Windows\system32\Ccmcgcmp.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3308
        
        C:\Windows\SysWOW64\Ckdkhq32.exe
        
        C:\Windows\system32\Ckdkhq32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3048
        
        C:\Windows\SysWOW64\Cmbgdl32.exe
        
        C:\Windows\system32\Cmbgdl32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\Cpacqg32.exe
        
        C:\Windows\system32\Cpacqg32.exe
        44⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\Cdmoafdb.exe
        
        C:\Windows\system32\Cdmoafdb.exe
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2940
        
        C:\Windows\SysWOW64\Ckggnp32.exe
        
        C:\Windows\system32\Ckggnp32.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\Ciihjmcj.exe
        
        C:\Windows\system32\Ciihjmcj.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Caqpkjcl.exe
        
        C:\Windows\system32\Caqpkjcl.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\Cdolgfbp.exe
        
        C:\Windows\system32\Cdolgfbp.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\Cgmhcaac.exe
        
        C:\Windows\system32\Cgmhcaac.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\Ckidcpjl.exe
        
        C:\Windows\system32\Ckidcpjl.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4492
        
        C:\Windows\SysWOW64\Cmgqpkip.exe
        
        C:\Windows\system32\Cmgqpkip.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\Cacmpj32.exe
        
        C:\Windows\system32\Cacmpj32.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3860
        
        C:\Windows\SysWOW64\Cdaile32.exe
        
        C:\Windows\system32\Cdaile32.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\Dgpeha32.exe
        
        C:\Windows\system32\Dgpeha32.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4292
        
        C:\Windows\SysWOW64\Dinael32.exe
        
        C:\Windows\system32\Dinael32.exe
        56⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\Daeifj32.exe
        
        C:\Windows\system32\Daeifj32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5136
        
        C:\Windows\SysWOW64\Dphiaffa.exe
        
        C:\Windows\system32\Dphiaffa.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\Dcffnbee.exe
        
        C:\Windows\system32\Dcffnbee.exe
        59⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5208
        
        C:\Windows\SysWOW64\Dgbanq32.exe
        
        C:\Windows\system32\Dgbanq32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5248
        
        C:\Windows\SysWOW64\Diqnjl32.exe
        
        C:\Windows\system32\Diqnjl32.exe
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5284
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5284 -s 400
        62⤵
        Program crash
        
        PID:5368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5284 -ip 5284
1⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4132,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4256 /prefetch:8
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Aabkbono.exe

Filesize
377KB

MD5
5f0d4d466f8995c168c7b539d99cbdc2

SHA1
7b59ee3a4abbe708bb55af6582e7e561747cf4ee

SHA256
c9a56432838db3dae370bd1669047cd48b42532bdaeb81df5afd0b379ea7e508

SHA512
67bd281079c7d367f8f3ef2d92abeadd625a774fdf861a502b83889d23b36c278b88ab72da75dfeffcca6c9105d7eb0ed42eb12087bda3a59421e6d57f89be2c

Download Submit
C:\Windows\SysWOW64\Aagdnn32.exe

Filesize
377KB

MD5
7e885febfd5d617d32422ba2ff5a7fa2

SHA1
66d655438a8ff5bce4e4f0cf6217b15e436ac8a9

SHA256
5857ded62900ea141bf68118b9f376b51ec8ef2bc71dd031e863f86c014b68bb

SHA512
bd8713e2163ec9be881ec71cbb658d01d838289297d34c11bce1c57e0dd5797cb8b2fd4dc88bc43b3aa27fa6adf01f76fc0519873fe75097e7f140cd5dd65cc8

Download Submit
C:\Windows\SysWOW64\Aalmimfd.exe

Filesize
377KB

MD5
bfab26c606018db89649a4ad369b82bf

SHA1
0a4b4ae589f69560acccc494b2f5bfe08c5fc0df

SHA256
ad985d89bc8e1a5db2cfc99587e7834d567f288ee10840040fc45ed8528c372f

SHA512
8a873d65f33765366a6aa459b2a5d962e3c9ec6a0a28959025c776bf6c285680cd262030991bdfe12a353e4311c1488cf156577d9da5658f44ff3c628b0d3028

Download Submit
C:\Windows\SysWOW64\Abhqefpg.exe

Filesize
377KB

MD5
4436c04254cffbdb1a3d399312eac6d3

SHA1
ae032fd72f3aaa7414bb20d8ce0f617e58c4a974

SHA256
ec969d88841fe67c75bf15f4d1994bd6f6b3b248c82146d7c3379327ddd39e05

SHA512
f97279133518053aeb455a5d8dbf2d61d20668d814573f1ef1c6965df9873690ca22f2203db9dc474b8ae5bfcefd8aa535be6a70518b61b64176841497396532

Download Submit
C:\Windows\SysWOW64\Adgmoigj.exe

Filesize
377KB

MD5
98cbea873081d445e058f90cf8221a0a

SHA1
991d85043acb335f3b56831a14f4052a95b24d8d

SHA256
ee2fad318f8235e87e74b112ec9b1d8fe92c703b806ff147eef250576e34e8b2

SHA512
f4f7b5db28ddf800b5543c7f08de1a03d2e6b687ced09159da059f19ee7fea6c1674da37c550c5261cf3c3be79ad9d62abc55d81aa9284c48ba768c1d20d01ff

Download Submit
C:\Windows\SysWOW64\Adjjeieh.exe

Filesize
377KB

MD5
c086204bb064e847166bf9dced3413c9

SHA1
defba0a7c963ed6603fbe34800f9c38697263bf0

SHA256
c887befad3a9df41c79664cf33307dbcac719babf46d5bbe958d9bc7208156bd

SHA512
35e7edf3e072a9e421b6d4ee4b6d1edeb7f81745f1f9ce77031e7a7716a6b7e6f5334032afc6bf0d8fa024437318ef158991c8e47fa6574f208749e7fc185376

Download Submit
C:\Windows\SysWOW64\Afappe32.exe

Filesize
377KB

MD5
763c6f4f5c7b8227fd0e8c73f99c383e

SHA1
742652ceec406869dbc586be10606d172f091eda

SHA256
8f52c803e0d2815a28392b9cfb24e3e3057fc950f911958e94cfb11951533231

SHA512
c9f749880a7d9878e1826912ecb969fc462f103629b9d45a2c95502ea703f18a330723a68f4f331f2626c6ec35ef90795d38db3b08b4587c2f393c0a9dc481cf

Download Submit
C:\Windows\SysWOW64\Affikdfn.exe

Filesize
377KB

MD5
3870c7c8020b78f034b55903e1165884

SHA1
460de10ea71d135ab9d4111dc32fb8b40cea3953

SHA256
144b47444a218bddfaea4950d5028c32e5609d559434060dc26be9f0ed29e62e

SHA512
893947413e10784acffbb90d20b74e8b978a72d40d1120edb82abfce9f00cd2e9eef5f89926d058b4b50a7a5c5729c8cf3b0c94541c27abab8a45f473bcf41ed

Download Submit
C:\Windows\SysWOW64\Afhfaddk.exe

Filesize
377KB

MD5
34cf259bf0253e604c68aa8f3b6d7856

SHA1
e188c5cf065b3c45503b2dc17853a8a49739d934

SHA256
c2fa6bf5437ff4a487e316699c4a22a6bfc72710a5e4ca6591af559b66e034d6

SHA512
1fe4eb25fab4cd2d29dc3b1439a6c1bb3176952b8b08cf243cc898395f7a3d825f8415f0b95977be4f97c54f65e003eab9325888ec9c5e3e9ee73f3699a68a76

Download Submit
C:\Windows\SysWOW64\Aibibp32.exe

Filesize
377KB

MD5
a5c6fb22139f894422b1f68047a7b59b

SHA1
593bbbb7c0f59bed4e676bd960e68666534ecdf7

SHA256
d4c4332fa0ae7878cc40a48c441387bdd899085a0ef5dae389fea4e58e379dee

SHA512
424deef4bbb412a5039fb74f9bdca67ef3c4492186066dc4a757cc63f81004d0bae97be08a5c8e154781e4d6fe8706583ac44db96dec39113b58f6343cfd2629

Download Submit
C:\Windows\SysWOW64\Aidehpea.exe

Filesize
377KB

MD5
f335938c140000e43cec0e7d37a8547b

SHA1
56a28f222a43e3ffd1c0b128dff5d5fdbfaf2ac7

SHA256
b81277c0bb6a642c901b513885520d7b97d835337e0beb5cdbad5f6e5eb15472

SHA512
09bc5b739138add244615508c374d26d4c86fa3244dad0dadee52a05d5fc852fcc506308ce870077f70c062a4c27ce6eb54b696b2e4bc836a70689e79f95dc35

Download Submit
C:\Windows\SysWOW64\Aplaoj32.exe

Filesize
377KB

MD5
e68d6420d04c48086d5e2c0ac02074b1

SHA1
6350b0911bc6cfb4b22630a0464f338efd9b5088

SHA256
efd223e415a97bb7fa0f35122c45b1bad0ca2d142f5dca03ef0b0c2871e8fa52

SHA512
e15013eedad434efaf4d745fac5743889ebd41816e32bbb1b0512243802e338eb340b2a4ee8b8fd3ab52faea1ba6e7638384537b31b2c40879b2350459ef2721

Download Submit
C:\Windows\SysWOW64\Babcil32.exe

Filesize
377KB

MD5
83271fe6b2cbb5ac5158b02bcdbe2d32

SHA1
af1365214f60d1b63f069ceb616ab3145fc3b57d

SHA256
5949b2b2519b9ed4f55cc46f651f2749003ff9fb3d761c4903f7de48ce0ed72f

SHA512
63a34834a7e4b0131a5c65a3badd2f9886dd2eb92098d35e668e815c450ed028646740ef11ff07b3f1abd928fda1269199d3ab1cadcf0c0397ecbd5318677e72

Download Submit
C:\Windows\SysWOW64\Baepolni.exe

Filesize
377KB

MD5
ed51e5ef8c3c000b4cbffc87a21adc95

SHA1
444bae8b9672b57e880dff87964d20ea9fea02e2

SHA256
fb611226e2b8d5bc3ff73d068bda5c62538f23755cf6276d6fc03f0c37decbd5

SHA512
0721a3bcbb21747c8cb6c5663c9c18890a9bff96cc23d412a8d39d86837ae5960a136cd9b7ac9faa10d88532c263eab27eb83e7fd22fef0f6be48492d4257caf

Download Submit
C:\Windows\SysWOW64\Banjnm32.exe

Filesize
377KB

MD5
78053cdb4b7d17ae3f82970284186425

SHA1
1073c2d69363450589b6eebc85c2c9d0993ab9a4

SHA256
1e5edffa44145343ee237ab54afa6165a5e5980d0798d19eb87c8e4e5be64eab

SHA512
7630d91e907b7d904238a392cfb56bd28dc5ec644c8969426d48e6822e92b31c2c22c153fa140ce9af922fe183c27afca246d0751ae79319fb78a0508a8ca8a7

Download Submit
C:\Windows\SysWOW64\Bapgdm32.exe

Filesize
377KB

MD5
5adefe5c7081c9ce6040c304b6fa5225

SHA1
a58dd6624c565700c14ac11a73224bb0f54bd8af

SHA256
bdf9d577ca1d9568c11226fd24238b6f003ea3e482414debb455ce0f54a5f649

SHA512
5da48bf757ccbb909633079f56129f27a53535ba1c100ce1f1f9fcdc9613118d824ff3a4193036fd18ef582e1ccda58780b43f8eb0f6c773b3471305a317db4d

Download Submit
C:\Windows\SysWOW64\Bbfmgd32.exe

Filesize
377KB

MD5
02a7f1a6cf0f9d98ba3ecf45b84ca330

SHA1
45e1bb09bf6b64b3bb91712aaef49a589df48976

SHA256
67c69aa2c760dc359c6599f1498c0c9cfae21fa941d78502e551f584733e6822

SHA512
1d019aa00e6eb6c2bd2861c75830ebc8de0b33e6de5ca29bc3d528995c9b53b1d174984f039e02a41acdd59f35c94796cc437440d964ad809dc860d928276204

Download Submit
C:\Windows\SysWOW64\Bbhildae.exe

Filesize
377KB

MD5
96a0d797b8533a5331139b178b6c86e6

SHA1
c640b538df3f8515026538f2d13ccad2f0818529

SHA256
5eec72a889ebbf15721ecc2b0be161669c41f4f0c4738cfef819eb56894eed16

SHA512
7c7ac0b07980b66cdfd03189e596ff07525e3cc46418378ca4508c71bc85cb549d5dc108a91752b72511392791c388d7dabefdcb837324e9216616582001f643

Download Submit
C:\Windows\SysWOW64\Bdapehop.exe

Filesize
377KB

MD5
5cea4fee0fb61c2939b792cbd089a04b

SHA1
1b95888b97bebf859fc7df66cb601ac5a3e9f804

SHA256
239c9661c0fafa48f622f0dfa6202a8a3a4920f3f2c6a637b38df33f574d3256

SHA512
976f3646df21fc3ce4e539042aded430efc40753393a42dff2702f0b9f0a4a47e7508874cf6e5e3b1d4dddc9651698285da7eddf6598440e06a229c31aa55ec4

Download Submit
C:\Windows\SysWOW64\Bdlfjh32.exe

Filesize
377KB

MD5
9849c93e604838e128080a15f118f484

SHA1
4642945c20b3c3ef2a6c0d562430e75b4113092c

SHA256
3326ec2926ec8cb62012f99ce7579c79ba3a22f361782133460e5a5180a7d783

SHA512
0d5386a09c75de627ac6259ea24c518f57e584eb97878f8348056aa6fd9f6b0900bb5005c8cca705d0fbffd8438877614220dba794a8de33a392652aadb54533

Download Submit
C:\Windows\SysWOW64\Bdocph32.exe

Filesize
377KB

MD5
b77b2297a1cff17583330bd3f9301fae

SHA1
315a046da86bf12968a8623d4be399f229def196

SHA256
b0bf40f7acac83256c8ed8647e80d3a2157e7ba7e20cd96e29dc70a19bf06872

SHA512
6a9934ebbae1c60f7e377a88ab7f0c6f6e7a619b9cdee4e26bb54cd70f0b7be92ef55b186b1ffbadf006d7dbd96cdbe4ee24fc26f7434765569b9327ce0284b2

Download Submit
C:\Windows\SysWOW64\Bfkbfd32.exe

Filesize
377KB

MD5
f14cc58c84e05fcdfadaaa23e18d121a

SHA1
210311b0de1e7a3187af2d3b92ae00559e841a6c

SHA256
48b2fd7cd9e0d20c9653f8093c1380d00068d03d9fc6bb717c5894ec7af797e3

SHA512
ad1b7f4eca2c061200d5aa367b990764dc84be4566a72ba3202e541b406725e9c7588733db36e4b143a2c31d127c694d07cba48edf7c68103f06385db78acb70

Download Submit
C:\Windows\SysWOW64\Bfmolc32.exe

Filesize
377KB

MD5
a4001e1ac6c606c9d223064051bebb52

SHA1
2cae6e9438ff4bd2ce371d23035967ffc2ea39de

SHA256
ce10272e49818ea29b43cd69b4253c51598ac4247a034b9fdc3ff3fc74675e5b

SHA512
ead712aa5b040b248bae40edb0736e71c0f46959bc3b43481d28e362988b90b805485456d21c1ac845694af6f70bfa47efbacbe4b5b9be0ac7c6e0b9d3a905bf

Download Submit
C:\Windows\SysWOW64\Bfolacnc.exe

Filesize
377KB

MD5
b22595d06c8233d8847d89ae59fdfc78

SHA1
ac872ac09a50e1aa4d2efcf4231cef6a79d6e0ca

SHA256
3a3e1675a65719dfdd5468a9bf133ffbd44ad8def31cddbde11884b0f2b4672c

SHA512
f0eda6fbef91a5bcdc91e67e77717df811d215c487de5fe970945c7f66d8f1bb3af2b52f8cc71cd6734d290baf7862f97dc356f8fa8571c742814c22b9f7410e

Download Submit
C:\Windows\SysWOW64\Bigbmpco.exe

Filesize
377KB

MD5
936a1f82c585b3326f467665170f1adb

SHA1
7187de1fe79543bd774e7251c3b85a9da00c1a97

SHA256
3f44cbde7f8d443d3cd0bd229a2edc1e3bcb4a2b7056205ea850cf1f2b18b254

SHA512
c1aa2cdc98d70cba184df462cfbcb320b80c01ad0ad8a25ce6a00606c07710d5d61035873aa7dce5f8da834e373954adef8dc82b42845c19931d01b3a2df339e

Download Submit
C:\Windows\SysWOW64\Biiobo32.exe

Filesize
377KB

MD5
df37c29a76a9357ef6883fe30ff7a3b4

SHA1
2a81b7d847cb1323681b5996aa5fe4390d5bc6b7

SHA256
d81c027b73754997de9c5233d09dbaf023f6b85de9c7ec858c1fa7067e3954d2

SHA512
74ac093110e478fb1e6efa902cd641d701536348bb9aa07e91b6ac5afadcfa5a89416c278ae49ccb119e61e695d89991bf63443c73e769552bcf5ba0b5120aa0

Download Submit
C:\Windows\SysWOW64\Biklho32.exe

Filesize
377KB

MD5
33110c436f76740ca9424c6be1989986

SHA1
5c11985bbe2c23152753b6dcddf0a259e52757fd

SHA256
b4433cc21a15cba347a47a34de7dac95a915d12e4541d91b3d559724ad0ba129

SHA512
6321e02bda3e324737f98ff0942784dc9b55c5aa3667732fe59c9c7be888089ab6071836abf04e5c8cb63d9cdb0519392992aa01d03d8d7b6816ccc1b780e70e

Download Submit
C:\Windows\SysWOW64\Bmidnm32.exe

Filesize
377KB

MD5
0fbda6a25acb1209271b27670c92d40a

SHA1
06f4a5e014f8ec773ac56d9826da8e5f39912ca4

SHA256
c09f29742fcd5f67f6000391bee107366c0e02afabcdb6c0db09cb7756d89240

SHA512
eb662662ea7d69c5bba274a32bb391006f346c9ec2d4bf3150692879a6bfeed0bbf015e41484b424064fedc44c84dc33be90817f65dcbcd171e53b4921526cda

Download Submit
C:\Windows\SysWOW64\Bmladm32.exe

Filesize
377KB

MD5
38b51e79de2f29f2edb493f6c302740b

SHA1
d6ee2a8d803b2f1ae67638dd7be6eeaf257d5aa5

SHA256
2983255f6d8b856aa9cbdb78be6e63af7f29fa504c0f8a6861bc7f43ed6e01e9

SHA512
e1b5dec7808f792c41ce5c7847b1a49235f751cb1ab1fb6fc28c54b58a107aa7a4d0d329a89616c847e17e25bb8e03fea9419a6f1a8d3807ed505ba87da3d209

Download Submit
C:\Windows\SysWOW64\Bpjmph32.exe

Filesize
377KB

MD5
777da1ae7e945e1a5e660d68c9e44688

SHA1
3f7ba2fb431b2210015bdd05210c1de5e3f44bf4

SHA256
d215b837c2e2b6c7c1d2f0ab81d35d596c5f66a9788d2404a2b0af2cb5b9354a

SHA512
87f0497fc0ccacae55c5c59596563f08af8377dadb148a6b27366e70cba8038d19c66b2a659e569068bd3429531a47317342d20ae8d756bf6ae604af9bea259a

Download Submit
C:\Windows\SysWOW64\Ckpamabg.exe

Filesize
377KB

MD5
d1ce09c5b6663ff52f752787d5c82415

SHA1
3e6b7e3c720a5b0247711b80a3ada860652262c1

SHA256
aca0d77c7ccc59a0ef3fc2fca3071932138301a976c17689ec2c6e2a1ab7c544

SHA512
8720aa21a6d15b8568222d43d61c00a6f1cc08d108d576357f5917733a4273391fba3fa217242e70291003d3c5e2c1da9c75409c908fc593d659d903559f41ef

Download Submit
C:\Windows\SysWOW64\Qfmfefni.exe

Filesize
377KB

MD5
e3abf877323bf8f479d7493c4de3e95b

SHA1
3b5320f10102a0b743023ff06d43bb520c632021

SHA256
90eebe7ca4d3b5007c11115c4e61a5322e48858e0fd1bbced1d0b02947915a31

SHA512
06bd30c81a294b85a2d102cb34d6dd7b5e11098eac881563a93f1b9d7b8b8ec10d60ded80a762a99d0f7cf57c8e667de9de9a458ec22b94bf9b822138cfbaa82

Download Submit
memory/116-17-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/548-506-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/548-373-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/852-455-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1048-510-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1048-372-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1064-427-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1136-383-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1136-484-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1180-431-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1180-402-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1204-392-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1204-464-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1376-508-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1376-407-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1512-49-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1512-512-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1520-24-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1592-399-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1592-435-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1600-451-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1644-449-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1648-415-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1680-468-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1680-390-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1736-457-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1820-1-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/1820-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1956-382-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1956-486-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-384-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2012-480-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-441-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2516-396-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-378-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2676-496-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-401-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2796-433-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2940-437-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2968-423-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3048-395-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3048-443-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3124-482-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3308-445-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3308-394-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3316-439-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3316-397-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3324-429-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3324-403-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3364-462-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3496-447-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3576-385-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3576-478-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3596-388-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3596-472-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3652-419-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3788-466-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3788-391-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3860-421-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3904-377-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3904-498-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3960-389-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3960-470-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4020-387-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4020-474-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4024-514-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4024-45-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4204-380-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4204-492-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4228-459-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4228-393-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4292-417-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4372-504-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4372-374-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4448-490-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4448-381-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4492-425-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4496-375-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4496-502-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4600-9-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4676-379-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4676-494-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4856-516-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4856-38-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4928-376-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4928-500-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5000-386-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5000-476-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5024-488-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5080-453-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5136-413-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5176-411-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5208-406-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5208-409-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5248-405-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/5284-400-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads